Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Processes found by Rkill after many types of scans

  • Please log in to reply
2 replies to this topic

#1 mattyk


  • Members
  • 6 posts
  • Local time:01:21 PM

Posted 08 November 2010 - 12:59 AM

I am trying to fix my sisters Acer 3680-2682 laptop which is running vista basic 32 bit. I have ran many of the programs available here so I am going to explain the process I have completed and hopefully someone can stear me in the right direction from here. First off the machine was running really slow it only has 512 mb of ram to start with but was basically at a crawl. I did not put the machine online I was worried of messing up my network by doing so. I installed rkill and there were malicious processes running and she had limewire and that coupon printer so i just assumed it was bad. I am learning how to work on computers so I have some knowledge of the field but basically just relying on programs to do the work at this point. I installed tdsskiller and combo fix and ran both combofix did find issues and found something down in the kernal files and the machine shut down while it was being deleted and when it tried to reboot windows would not reload so the startup fix tool repaired it and windows loaded. Combofix finished building the report and then I rebooted the machine and then ran combofix again. It ran thru with no problems this time so I rebooted the machine and ran it again. Again there was no issues so I rebooted and uninstalled it thru the dos prompt. I then went thru the program add and remove and uninstalled all of adobe and java and any tool bar or coupon printer, basically anything she didn't need or what I couldnt update the download. Then installed malwarebytes and updated it. I ran rkill and then malwarebytes and malwarebytes turned up a trojan so I deleted it and rebooted. Next I ran rkill again and was still seeing processes so I downloaded super antispyware and it found a browser hijacker but still when i run rkill I have processes running. The following are the processes running:

C:\Users\Amii\AppData\Local\Temp\RtkBtMnt.exe Exact spelling of file
C:\Windows\system32\DllHost.exe And yes it is listed twice

So please help I can run any program and post reports as needed so maybe I just need walked thru the process by someone that knows what the hell they are doing...lol
Thanks everyone for your input on this site I have learned more from this site in a few weeks about computers than I have anywhere else. Keep up the good work!!!!!! Matty

Edited by Blade Zephon, 08 November 2010 - 02:54 AM.
Moved from Vista to AII. ~BZ

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,747 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:21 PM

Posted 08 November 2010 - 12:50 PM

Please note the message text in blue at the top of this forum.

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

If you ran ComboFix on your own due to malware infection, please be aware that using ComboFix is only one part of the disinfection process. With that said, all files listed in an RKill log are not necessarily malware related. In addition to terminating the most common bad processes that prevent other tools from being executed, Rkill also terminates executable files running from a user profile by design. Programs should not be running from a userprofile as they are meant to hold data, preferences, settings, and configuration files. Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there.

DllHost.exe (aka COM Surrogate or DCOM DLL host process) is a process that supports DLL-based COM objects and is used by many Windows programs. This process is a legitimate Windows component that resides in the system 32 folder. It is not uncommon to find multiple instances of DllHost.exe running in Task Manager or its presence indicated as terminated in RKill's output log.

RtkBtMnt.exe is a legitimate process related to Realtek HD Audio Data Rerouter by Realtek Semiconductor Corp. that is usually located in a profile subfolder of C:\Documents and Settings.

RKill just kills processes, imports a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools. Then it kills Explorer.exe so it will restart and enable some of the Registry changes. When done, RKill will then create a log listing all processes that were terminated while the program was running. Please note that this will include processes that were terminated manually by the user as well as RKill (itself)...

RKill - What it does and What it Doesn't - A brief introduction to the program

If you are able to run Malwarebytes Anti-Malware and other security tools without them terminating, there is no need to run Rkill. Using Rkill is only necessary to fix the most common malware processes that stop us from using security tools and completing scans so its not required in all situations.

FYI: Anytime you come across a suspicious file or one that you do not recognize, search the name using Google <- click here for an example.

If you cannot find any informatio, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to one of the following online services that analyzes suspicious files:In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

Edited by quietman7, 08 November 2010 - 12:53 PM.

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,011 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:21 PM

Posted 15 November 2010 - 10:18 PM


Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Since you have run ComboFix, please include the ComboFix log in the new topic. Please be sure to include a description of your computer issues and what you have done to try to resolve them.

If you cannot produce any of the other logs, then please create the new topic anyway, include the information that you were unable to produce the other logs and why and include the ComboFix log along with a description of your computer issues.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users