Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RKill - What it does and What it Doesn't - A brief introduction to the program


  • Please log in to reply
999 replies to this topic

#976 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 PM

Posted 31 March 2017 - 05:30 AM

RKill and all Bleeping Computer's hosted programs for download are trustworthy, safe and malware-free. However, depending on the product, some anti-virus software and other security scanners may flag certain programs as a threat for a variety of reasons when that is not the case.

Most of the well known specialized tools we use against malware are written by experts/Security Colleagues at various security forums like Bleeping Computer, TechSupport, GeeksToGo, Emsisoft and other similar sites so they can be trusted...this includes any program hosted by BC for download. Unfortunately, many of these tools (or their embedded files) are falsely detected by various anti-virus programs from time to time. This in turn sometimes results in an inaccurate site rating/warning by browsers of potentially dangerous software when that is not the case.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


m

#977 arturo2005

arturo2005

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:42 PM

Posted 01 April 2017 - 03:08 PM

 

Hi,  Two weeks ago I had to repair my operating system. I was getting a Blue screen error saying that there missing a boot file.  After I did the repair, I did a full scan using in Windows Defender in Safe Mode. It found the trojan:win32/vigorf.a which I deleted along with another Trojan which I can't remember the name. Today, I found the Trojan: Win32/Rundas.A in the file below. My question is did this Trojan come thru the download of this file rkill.com below and should I do a clean install of Windows 10?  I tried to delete the Windows.Old file  but I was getting messages that if certain files where deleted, Windows would not work correctly. So I didn't delete the file. Thanks for your help.  
 
Detected Item                                  Alert Level        Status                       Recommend action
Trojan: Win32/Rundas.A                 Severe             Succeeded                Remove
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
file;C:Windows.old\Users\Arthur\Downloads\Virus_Removal_Tool\Batch_Files\rkill.com 

 

When I posted my question about the Trojan: Win32/Rundas.A found in file above I should have clarified my question about this Malware it found. I guess the way I posed my question before, it sounded like I thought I download the Trojan in file that Windows Defender said it found it. I also believe that Rkill and all Bleeping Computer's programs are trustworthy,safe and malware-free and appreciate the tools and help they provide to people like myself.

      

That download was an old download and I was wondering if Trojans can find a vulnerability or flaw in an old download or program that has not been updated. This was an old download that I might have opened after I repaired Windows 10.  When these tools are falsely detected by antivirus programs and give inaccurate site/warning of potentially dangerous software how do they assign a name to the potential Trojan? How do I determine what is safe and what is false? This Trojan: Win32/Rundas.A  and the Trojan/Vigorf.a that was found in a previous scan but I'm not sure in what file, could they have been legitimate threats?

My computer sometimes has been arbitrarily restarting after being on for about 10 minutes so I'm concerned that I might still have a problem. That is why I ask if I should do a clean reinstall Windows 10 which wipe out that Old Windows file. Your advice in this matter is greatly appreciated. Thank you.

 



#978 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 PM

Posted 01 April 2017 - 06:23 PM

Each security vendor uses their own naming conventions to identify various types of malware so it's sometimes difficult to determine exactly what has been detected or the nature of the threat without knowing more information about the actually file(s) involved. Names with Generic or Patched are a very broad category. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is.

Names are created for in-the-wild malware which has been released to infect computers, non-wild ("Zoo" viruses and worms) created by labs and anti-virus vendors to test their ability to detect new threats, proof-of-concept viruses created by ethical groups and zero-day malware...all of which can be renamed at any given time. Since there is no universal naming standards, all this leads to confusion by the end user.

To aid the fight against computer viruses and other types of malicious software, many security advisory organizations and developers of anti-virus software compile and publish lists of viruses. The compilation of a unified list of viruses is made difficult because of naming. When a new virus appears, the rush begins to identify and understand it as well as develop appropriate counter-measures to stop its propagation. Along the way, a name is attached to the virus. As the developers of anti-virus software compete partly based on how quickly they react to the new threat, they usually study and name the viruses independently. By the time the virus is identified, many names denote the same virus.

Another source of ambiguity in names is that sometimes a virus initially identified as a completely new virus is found to be a variation of an earlier known virus, in which cases, it is often renamed. ...

List of computer viruses: Naming

Anytime you come across a suspicious file or you want a second opinion, submit it to one of the online services that analyzes suspicious files.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#979 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:42 PM

Posted 14 April 2017 - 08:35 AM

https://www.bleepingcomputer.com/forums/t/644195/cant-identify-or-get-rid-ofthis-rootkitransomware/#entry4220189

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 04/13/2017 09:31:40 PM in x64 mode.
Windows Version: Windows 10 Home
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * No malware processes found to kill.
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * Windows Defender Disabled
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 * Windows Firewall Disabled
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
Checking Windows Service Integrity:
 * agp440 [Missing Service]
 * DcpSvc [Missing Service]
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * RetailDemo => %SystemRoot%\System32\svchost.exe -k rdxgroup [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
Searching for Missing Digital Signatures:
 * No issues found.
Checking HOSTS File:
 * No issues found.
Program finished at: 04/13/2017 09:32:09 PM
Execution time: 0 hours(s), 0 minute(s), and 28 seconds(s)

 

 OP worry about these missing services. The computer seems clean.


Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#980 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:42 PM

Posted 14 April 2017 - 08:44 AM

It is clean. Can be ignored. Need to tweak it more for Windows 10 next week.

#981 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:42 PM

Posted 14 April 2017 - 01:50 PM

Thanks. :)


Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#982 selohu

selohu

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:42 PM

Posted 16 April 2017 - 07:23 AM

ok gracias



#983 Cookiegal

Cookiegal

  • Security Colleague
  • 93 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:42 PM

Posted 11 July 2017 - 11:55 AM

I would like to revisit the TBS [missing service] result that many are seeing.  I've been doing a lot of research on it and see that the usual course of action is to insert the service using a registry fix but I'm wondering if that's really needed.  Now, keep in mind that I'm not that up on the later OSs and most of you posting here know a lot more about these things than I do so please don't see this as an affront.  However, I have a curious mind and I've noticed some similarities and coincidences in threads where this is the only detection so I thought I'd put this out there to see what you think.

 

It was my understanding from what I've read that the TBS (TPM Base Services) would not be found on a computer that doesn't have a TPM chip.  This MS article:

 

https://msdn.microsoft.com/en-us/library/windows/desktop/aa446792%28v=vs.85%29.aspx

 

states:

 

"Starting with Windows 8 and Windows Server 2012, TBS comes pre-installed on all systems with a TPM".  I took that to mean not on Windows 7, which most, if not all of the ones with this detection are so it appears that it would not be a default service.

 

Further, many Dells aren't TPM compatible, in particular the Inspiron models.  This link from Dell shows that only the Latitude, Optiplex and Precision models have it but it could be an outdated article.  However, coincindentally, most of the systems with this as the sole detection are Dell Inspirions running Windows 7.

 

http://www.dell.com/support/article/ca/en/cabsdt1/SLN55441/what-is-the-trusted-platform-module--tpm--security-feature----kb-article---274113?lang=ZH

 

So my question would be isn't it normal to have that detection if rkill is looking for this service on all systems even those without TPM in which case it could be ignored?  Also conincidentally, these sole detections seem to have started in early 2016 which was not long after Windows 10 compaitibility was added to rkill according to the changelog.  I wonder if that could have something to do with it.

 

Also, as in the link below (albeit for Windows 10) if the user looks in Device Manager under Security Devices and doesn't see Trusted Platform Module there and the TPM Management snap-in console shows "No TMP" wouldn't that mean then it's normal that there be no TBS service and therefore it may be futile to restore a service that can't be used?  Or can malware or some other process delete all of that too?

 

https://www.tenforums.com/tutorials/36454-verify-trusted-platform-module-tpm-chip-windows-pc.html

 

Again, my observations may be way out to left field so please humour me (or ignore me) or simply set me straight but more importantly please don't take offense or laugh too hard. :)

 

 

 



#984 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:42 PM

Posted 24 July 2017 - 05:58 PM

The Windows 10 service enumerations are still not working right. Everything else if sine, but the services for now should be ignored. For now, I have removed that routine from Rkill until I get the services in order. The rest of the service checks will still be in place (common services that should be running and are not).

#985 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:42 PM

Posted 25 July 2017 - 09:39 AM

I just uploaded Rkill 2.9.1. In this version I added a ton more malware services (about 400) that will be stopped by Rkill. I also disabled the service validation check until I can get the false positives resolved. All other features are still working as normal!

#986 garioch7

garioch7

    RCMP Veteran


  • Malware Response Team
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:42 PM

Posted 25 July 2017 - 11:35 AM

Thanks, Grinler, for continuing to improve an awesome anti-malware utility.

 

Have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#987 Cookiegal

Cookiegal

  • Security Colleague
  • 93 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:42 PM

Posted 25 July 2017 - 01:25 PM

Thanks Lawrence! :)



#988 LYN12345

LYN12345

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 25 July 2017 - 03:35 PM

I used RKill on someones PC. Chrome warned me it was a dangerous download and offered to block it, and after I used it, a Hitman Pro scan found it and called it a trojan. I've never had this happen when using it in the past..? I downloaded it from Bleeping Computers site. Thanks.



#989 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:42 PM

Posted 25 July 2017 - 04:04 PM

Looks like Kaspersky has a false positive:

https://www.virustotal.com/en/file/04e56a99957eb3328946a8c601f190bb6534e34e926c0d72b2b9c69acd6f61bd/analysis/1501016604/

I reached out to a contact there and posted here about it:

https://twitter.com/BleepinComputer/status/889955296499699717

Should be cleared up soon.

#990 LYN12345

LYN12345

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 25 July 2017 - 04:30 PM

UB awesome. Thanks for the fast response!






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users