Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rkill exception - LogMeIn Rescue


  • Please log in to reply
12 replies to this topic

#1 tylerh

tylerh

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 08 June 2010 - 04:00 PM

My name is Tyler H. I work for an ISP in a department called RescueIT. We deal heavily with virus infections on a daily basis.

Rkill is one of our initial tools we run on an infected computer. This tool works great for terminating the majority of infections on the systems.

The only problem we have found is that our remote tool, Logmein Rescue, gets terminated when running Rkill. We've also noticed our remote session only gets terminated when the remote session is running as an applet or service.

Can process/service exceptions be added to rkill through command line or is there anything else that can be done to prevent rkill from terminating our remote session with Logmein Rescue?

Edited by tylerh, 08 June 2010 - 04:03 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:17 PM

Posted 08 June 2010 - 04:21 PM

Is the tool being run from a userprofile? If so, then have the user run it from their c drive or a folder saved on their computer outside the userprofile folder.

#3 tylerh

tylerh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 08 June 2010 - 04:36 PM

Give me a little bit. I'm trying to find a PC where it terminates the remote session. The weird thing is that it is not consistant. I'll reply back shortly.

Edited by tylerh, 08 June 2010 - 04:37 PM.


#4 tylerh

tylerh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 08 June 2010 - 04:53 PM

Ok, I found a PC where it is shutting down the Logmein Rescue remote session. Fresh install of Windows 7, no infections, all updates.

First try, I ran it from the desktop (C:\Users\test\desktop)

Here is the log:

C:\Users\Test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FCJRX5C5\Code[1].exe
C:\Users\Test\AppData\Local\Temp\LMID49D.tmp\lmi_rescue.exe
C:\Users\Test\AppData\Local\Temp\LMID49D.tmp\lmi_rescue.exe
C:\Users\Test\AppData\Local\Temp\LMID49D.tmp\lmi_rescue.exe
C:\Users\Test\AppData\Local\Temp\LMID49D.tmp\lmi_rescue.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Test\Desktop\rkill.com

Second attempt, I ran it directly from the C:\ drive.

Here is the log:

C:\Users\Test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FCJRX5C5\Code[2].exe
C:\Users\Test\AppData\Local\Temp\LMIC62C.tmp\lmi_rescue.exe
C:\Users\Test\AppData\Local\Temp\LMIC62C.tmp\lmi_rescue.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe

Thanks for the quick reply :thumbsup:

Edited by tylerh, 08 June 2010 - 04:54 PM.


#5 tylerh

tylerh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 08 June 2010 - 05:16 PM

Well, I've found out what the problem is.

Rkill will terminate the Logmein Rescue remote session if UAC is turned on. Happen to know anyway around this other than turning off UAC when Rkill is ran?

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:17 PM

Posted 08 June 2010 - 05:46 PM

No, unfortunately not.

The programs, though, do appear to be running from the %UserProfile% folder:

C:\Users\Test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FCJRX5C5\Code[2].exe
C:\Users\Test\AppData\Local\Temp\LMIC62C.tmp\lmi_rescue.exe
C:\Users\Test\AppData\Local\Temp\LMIC62C.tmp\lmi_rescue.exe


#7 tylerh

tylerh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 08 June 2010 - 05:52 PM

I'm sorry, I thought you asked where Rkill was being run from. So, if we can change the temp folder our remote uses to a local folder and not a user profile folder....it shouldn't end the process and kill it?

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:17 PM

Posted 08 June 2010 - 06:07 PM

I think that would fix the problem.

#9 tylerh

tylerh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 08 June 2010 - 06:38 PM

Thank you for your information! I really appreciate it.

#10 marcink99

marcink99

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 03 May 2011 - 08:24 PM

Hey I have the same problem rkill kils logmein was this ever resolved? If yes what was the solution. Thanks!

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:17 PM

Posted 03 May 2011 - 08:47 PM

This is not an issue with rkill or logmein. This is an issue of where logmein is running from. Don't run logmein from a userprofile folder and it will not be terminated.

#12 tup3ng

tup3ng

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 05 May 2012 - 12:22 AM

Has anybody got to fix the re-launch of logmein rescue applet after running rkill?

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:17 PM

Posted 06 May 2012 - 10:28 AM

In the near future, users will have the ability to whitelist certain apps. When its ready I will post a note about it.

Unfortunately, till that time, if you can get the logmein, or any other remote app for that matter, executables to run from someplace other than a profile, Rkill will not terminate it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users