Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RKill - What it does and What it Doesn't - A brief introduction to the program


  • Please log in to reply
995 replies to this topic

#961 HolyCowz

HolyCowz

  • Members
  • 168 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GMT
  • Local time:01:59 PM

Posted 17 November 2016 - 04:47 AM

Varangian

I get some of the [Missing Service] and 

 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 
So must be windows 10  that produces false positives I to used the latest version of rKill.


BC AdBot (Login to Remove)

 


#962 vilhavekktesla

vilhavekktesla

  • Members
  • 917 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:59 PM

Posted 17 November 2016 - 03:09 PM

Try to read about the rkill from grinler, maybe the readmes / whats new explains some of the messages.

I got a few messages on W7 and XP last summer when I tried and the cases were reported so the version later fixed some and told me the reason for others.

 

Keep on reporting and if you have more than one computer available with motly the same systems running then do some test so rkil is always updated and as good as possible.

I have not yet had any cases where rkill had to fix anything so I cannot tell whether i had cases need fixin.

 

I simply use rkill as one of many preventative measures.

 

Best regards


The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0 or newer (if needed)

The master key is released so there is no need to pay to get the key.

More than 200 different ransomwares exist so think safe backups at all time.


#963 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:59 AM

Posted 17 November 2016 - 04:22 PM

Grinler will fix the Rkill issues with Windows 10 anniversary update as soon as he gets the chance. As the site owner, he is very busy with other things. Just ignore any errors of services missing for now.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#964 deentblcmpt

deentblcmpt

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 26 November 2016 - 08:49 PM

I'm hoping someone has experienced this error when opening rkill.exe or rkill.com :

---------------------------

Issue:

Common_Desktop doesn't exist! Rkill Terminated!
(shown in the C:\Users***\Desktop\rkill.exe black terminal box)

Then on a white pop-up window with an "OK" button - error:

Rkill Error
There was a problem retrieving the path for: Issue: Common_Desktop. Rkill has terminated!

----------------------------

I have never had any issues with running Rkill.exe and its ability to terminate processes etc... The computer seems "normal" but I routinely run this program before running Malwarebytes.

Before writing, I have also ran, BootkitRemoval_x64.exe, aswMBR.exe, AdwCleaner.exe, JRT.exe
Nothing major found on any of these.

So, I am just confused or puzzled why the above error on Rkill.exe -- Common_Desktop doesn't exist! Rkill Terminated!

Any help is appreciated!

Thanks much.

 



#965 Mi_Maakim

Mi_Maakim

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 30 November 2016 - 08:28 AM

Grinler,

 

Does rkill.com create a new file named rkill64.com to be run on x64 machine?

 

Here is a list of rkill-related files on my computer:

 

SHA-1: 9852e771cc191380a02e65b3efa5ed2d0aa09c87 - rkill.com - Modified date: ‎Thursday, ‎April ‎07, ‎2016, ‏‎3:57:19 AM
 
SHA-1: 275513b755211b9d7fdba817e53be73ec89934bb - rkill64.com - Modified date: ‎Wednesday, ‎October ‎05, ‎2016, ‏‎9:21:40 PM
SHA-1: 275513b755211b9d7fdba817e53be73ec89934bb - rkill64-4989.com - Modified date: ‎Friday, ‎November ‎11, ‎2016, ‏‎7:00:04 PM
SHA-1: 275513b755211b9d7fdba817e53be73ec89934bb - rkill64-27296.com - Modified date: Thursday, ‎November ‎24, ‎2016, ‏‎9:55:46 AM
 
Each of them has a VALID digital signature.
 
Could you check the validity of SHA-1 for me?

Edited by Mi_Maakim, 30 November 2016 - 08:30 AM.


#966 Sara_K

Sara_K

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 01 February 2017 - 01:36 PM

Hey there, 

I am trying to download this app from the mail page but all the sources provide a different size file (1.9mb instead of 891kbs) More than that, there are 6-7 false(?) positive virus alarms. I've read about the fake antivirus alarms but taking in consideration the possibility to catch the flu", I prefer to double check.  

https://www.virustotal.com/en/file/6f084bfc9e26773a7d8f6c59b3650f7307a7b725fd2e9fddcba2199c28a349af/analysis/1485971225/

 

Could anyone please provide and also put in the description the SHA/MD5/etc of the original Rkill.exe file v.2.8.4.0?

I appreciate it,


Edited by Sara_K, 01 February 2017 - 01:36 PM.


#967 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:59 AM

Posted 01 February 2017 - 05:59 PM

If you are referring to the RKill download links, the detection is a false positive by the anti-virus.

Bleeping Computer's hosted programs for download are trustworthy, safe and malware-free. However, depending on the product, some anti-virus software and other security scanners may flag certain programs as a threat for a variety of reasons when that is not the case. In these instances the detection is a "false positive" and can be ignored.

Most of the well known specialized tools we use against malware are written by experts/Security Colleagues at various security forums like Bleeping Computer, TechSupport, GeeksToGo, Emsisoft and other similar sites so they can be trusted...this includes any program hosted by BC for download.

As for the different versions of RKill...some types of malware will target security tools and files (processes) by name so they will not run. In some cases, the malware will flag and block these files by providing bogus (fake) alerts indicating they are malicious or infected. At the same time however, the malware will ignore and allow some selected processes (certain core system components) to run. These core system components are usually critical system files which are necessary for the operating system. Since the malware will ignore these files (processes), renaming security tools to those with critical system file names allows them to run normally so they detect and remove the infection. Knowing this, instead of having to change file extensions for RKill if it does not run, downloads are provided by the developer (Grinler, site owner of Bleeping Computer) with different file extensions and renamed versions as a convenience to the user.

 

Since malware often disguises itself as a legitimate Windows file, remained versions are sometimes falsely detected.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#968 Sara_K

Sara_K

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 02 February 2017 - 08:19 AM

Sounds Great. Thank you for your feed-back.

Could you please provide SHA/MD5 of the Rkill.exe file v.2.8.4.0? Thanks


Edited by Sara_K, 02 February 2017 - 08:19 AM.


#969 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:59 AM

Posted 02 February 2017 - 10:08 AM

Jotti Virusscan File Hash Search for RKill.exe
VirScan Hash Search for RKill.exe
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#970 MarvinWWW

MarvinWWW

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 20 March 2017 - 02:00 PM

My little netbook (Acer One Aspire) has only 1 Gbyte of RAM, so I instructed Windows 10 to use 4 GBytes of my SD Card as "ReadyBoost" memory.  Can anyone state definitively that RKill operates on Windows 10 ReadyBoost "memory"?

 

Thanks for your feedback.

 

(I already used the bleepingcomputer.com "Search This Topic" feature to search the current topic for the word "boost" and found nothing.)


Edited by MarvinWWW, 20 March 2017 - 02:02 PM.


#971 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,123 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:59 AM

Posted 22 March 2017 - 10:44 AM

Should work. Give it a try. Rkill is a small program and does not utilize a lot of memory.

#972 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,123 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:59 AM

Posted 22 March 2017 - 12:32 PM

Rkill has been updated to try and fix the service checks. Those who are willing, I would appreciate if you can download and test the beta here:

https://download.bleepingcomputer.com/grinler/rkill-beta.exe

Please post any logs that showing service issues.

I also added 400+ new malware services that will be stopped by rkill.

#973 garioch7

garioch7

    RCMP Veteran


  • Malware Response Team
  • 2,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:09:59 AM

Posted 24 March 2017 - 02:03 PM

Grinler:

 

I just downloaded and ran the beta on my Windows 10 Pro x64 (Build 1607 - fully updated to today ([KB4015438]).

 

 

Rkill 2.9.0BETA by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 03/24/2017 03:57:09 PM in x64 mode.
Windows Version: Windows 10 Pro 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * CldFlt [Missing Service]
 * DevicesFlowUserSvc [Missing Service]
 * DusmSvc [Missing Service]
 * E1G60 [Missing Service]
 * IpxlatCfgSvc [Missing Service]
 * mausbhost [Missing Service]
 * mausbip [Missing Service]
 * pmem [Missing Service]
 * SDFRd [Missing Service]
 * SEMgrSvc [Missing Service]
 * spectrum [Missing Service]
 * WFDSConMgrSvc [Missing Service]
 * WinNat [Missing Service]
 * wlpasvc [Missing Service]
 
 * CompositeBus => \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_a140581a8f8b58b7\CompositeBus.sys [Incorrect ImagePath]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 03/24/2017 03:57:35 PM
Execution time: 0 hours(s), 0 minute(s), and 25 seconds(s)

 

 
I hope this is of some help to you.  I have Bitdefender 2017 Total Security as my anti-virus, and it disables Windows Defender, so that entry is correct.  Have a great weekend.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#974 MarvinWWW

MarvinWWW

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 26 March 2017 - 02:17 PM

My little netbook (Acer One Aspire) has only 1 Gbyte of RAM, so I instructed Windows 10 to use 4 GBytes of my SD Card as "ReadyBoost" memory.  Can anyone state definitively that RKill operates on Windows 10 ReadyBoost "memory"?

 

Thanks for your feedback.

 

(I already used the bleepingcomputer.com "Search This Topic" feature to search the current topic for the word "boost" and found nothing.)

 

When I posted the above a few weeks ago, I guess I was not clear. I use RKIll regularly, and it does in fact run on my little netbook. My question is: Does RKill understand that I am using ReadyBoost memory and thus it should check some of the space on my SD card for malware in addition to checking the built-in RAM? Sorry for the confusion on my earlier post. I hope this makes my question clearer.



#975 arturo2005

arturo2005

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 31 March 2017 - 12:52 AM

Hi,  Two weeks ago I had to repair my operating system. I was getting a Blue screen error saying that there missing a boot file.  After I did the repair, I did a full scan using in Windows Defender in Safe Mode. It found the trojan:win32/vigorf.a which I deleted along with another Trojan which I can't remember the name. Today, I found the Trojan: Win32/Rundas.A in the file below. My question is did this Trojan come thru the download of this file rkill.com below and should I do a clean install of Windows 10?  I tried to delete the Windows.Old file  but I was getting messages that if certain files where deleted, Windows would not work correctly. So I didn't delete the file. Thanks for your help.  
 
Detected Item                                  Alert Level        Status                       Recommend action
Trojan: Win32/Rundas.A                 Severe             Succeeded                Remove
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
file;C:Windows.old\Users\Arthur\Downloads\Virus_Removal_Tool\Batch_Files\rkill.com 





4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users