Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RKill executable question


  • Please log in to reply
4 replies to this topic

#1 Catnipper

Catnipper

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 01 February 2011 - 03:51 PM

My brother's PC was getting a new infection, antivirus .NET. I wanted to assist with the removal but also to have these tools myself. I downloaded RKill and MBAM but when I tried to run RKill I got a "threat detected" popup from AVG Anti-Spyware which quarantined USERINIT.EXE, WINLOGON.EXE and IEXPLORE.EXE. Why did this happen? It makes me a bit nervous about RKill.

BC AdBot (Login to Remove)

 


#2 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,529 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:11:03 AM

Posted 01 February 2011 - 03:56 PM

From this topic: RKill - What it does and What it Doesn't - A brief introduction to the program

On a final note, when you download and run RKill, certain anti-virus programs may state that the program is a security risk. This is because some of the tools used by RKill can be used for good or bad, though the programs themselves are perfectly harmless, and most anti-virus programs just lump them into the bad category. I assure you we are using them only for good purposes :thumbsup:

A scan from virustotal.com as of 12/02/10 shows the following AV vendors flagging RKill as:

ClamAV	0.96.4.0	2010.12.02	PUA.Packed.PECompact-1
eSafe	7.0.17.0	2010.12.02	Suspicious File
F-Prot	4.6.2.117	2010.12.01	File is damaged
Sophos	4.60.0	2010.12.02	NirCmd

Please be assured that there are no Trojans or infections within RKill.
If you have any other questions about RKill, feel free to post them in the topic. Do not, though, ask questions about how to get RKill to run, unless you can provide a better method to get around the malware blocking it. Also please do not ask about how to remove specific malware. Those questions should be asked in the forums listed earlier in the topic.


Changelog:

12/2/10:
  • Major rewrite of the program to be more effective.
  • No longer terminates explorer as that was restarted applications running from Runonce.
  • Uses a whitelist for displaying the processes that were killed. This is so it no longer shows itself as being killed and some other processes that were always displayed in Vista and Windows 7 even though Rkill didn't terminate them.
  • Cleaned up output.


Bold is mine for emphasis.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:03 PM

Posted 02 February 2011 - 11:57 AM

If you are you able to run Malwarebytes Anti-Malware and other security tools without them terminating, there is no need to run Rkill. Using RKill is only necessary to fix the most common malware processes that stop us from using security tools and completing scans so its not required in all situations.

AVG Anti-Spyware which quarantined USERINIT.EXE, WINLOGON.EXE and IEXPLORE.EXE

From what you describe, that appears to be a separate issue and a sign of a more serious malware infection. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Catnipper

Catnipper
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 02 February 2011 - 11:06 PM

My brother managed to eliminate the antivirus .NET by going into safe mode with networking and typing the system restore command line into the Run dialog. He was able to restore last week's settings and the intruder was gone.

So we did not have to load any tools remotely. He now has MBAM loaded and plans to run it weekly.

Thanks for the help.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:03 PM

Posted 03 February 2011 - 07:44 AM

You're welcome.

System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points are stored in the System Volume Information (SVI) folder and can be used to "roll back" the computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. Keep in mind that System Restore will back up the good as well as malevolent files, so when malware is present on the system it may be included in some restore points.

Sometimes this method of recovery works but other times it may not since System Restore was not designed to be a virus or malware removal tool. Whether it will be successful depends on what type of infection you are dealing with, what damage the malware has already caused, whether it disabled System Restore and if not, and what is restored during the process.

Best to scan right away with MBAM and closely monitor the system for a few days.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users