created by Grinler
(aka Lawrence Abrams
), the site owner of BleepingComputer is a tool primarily designed to terminate the most common malicious processes
that prevent other security tools from being executed, complete a scan or used to disinfect the system. When RKill is able to terminate malicious processes and fix certain registry keys, that action usually allows other tools to perform scans and clean up routines to remove the infection. Therefore a scan with Malwarebytes Anti-Malware or similar tool should be completed immediately after running RKill.
Since RKill is not
designed to be a comprehensive malware removal tool, using it is not required in all situations. If you are able to run other security tools without them terminating, there is no need to run RKill
. However, if RKill is run separately without or after other security tools, it's log can provide useful information to help diagnose the presence of malware or report other issues as the developer (Grinler) added some basic enumeration to the tool for various infections.
For example, Rkill includes Junction/Reparse point detection for ZeroaAccess. If found, the log will show: * ALERT: ZEROACCESS rootkit symptoms found!
RKill provides Digital Signature Detection...it will scan various Windows files to determine if they are signed. If a signature is not detected on a file that should have one, RKill will report it. Rkill will also provide a list of possible replacement files (noted by [Pos Repl] tag) for the file that failed the signature test. RKill provides Windows Service integrity checking and reports when certain necessary services are not running. RKill reports when certain policies are enabled that disabled Automatic Updates, System Restore, Windows Defender. Rkill resets .EXE, .COM, & .BAT associations in the Windows Registry. RKill will remove any Proxy settings
that are found when it is run and export the configuration to a registry file (rk-proxy.reg) saved on the desktop. Some types of malware can alter those settings which can affect the ability to browse, update and download programs required for disinfection. If the proxy is legitimate you can just double-click and import the registry file to restore your proxy settings.