Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can anyone help me "translate" this log from an Rkill scan?


  • Please log in to reply
3 replies to this topic

#1 pottii

pottii

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:03 PM

Posted 17 December 2016 - 04:04 PM

Hello, I am an IT-newcomer who recently ran a Rkill scan to see, if I had any malware on my computer.

 

The scan didn't find any malware or issues (from what I can see), except in one category, Windows Service Integrity. Also, it said "Reparse Point/Junctions Found (Most likely legitimate)!", which I am not sure what means.

 

If anybody would take their time to look at the Rkill log to confirm that there are no threats, and if possibly explain what all the problems with the Windows Service Integrity section, is, I would be highly grateful. Thank you very much.

 

Here is the full log:

 

------------------------------------------------------------------------------------

 

Program started at: 11/21/2016 09:01:51 PM in x64 mode.
Windows Version: Windows 10 Home 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
 * Reparse Point/Junctions Found (Most likely legitimate)!
 
     * C:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 => C:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE [Dir]
 
Checking Windows Service Integrity: 
 
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 
 * agp440 [Missing ImagePath]
 
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 11/21/2016 09:02:09 PM
Execution time: 0 hours(s), 0 minute(s), and 17 seconds(s)

 

 

---------------------------------------------------------------------------------------------------------

EDIT: I just ran sfc /scannow in the commando prompt and it didnt find any integrity violations. However, the Rkill log still come off as a bit confusing to me, so help is still greatly appreciated. :-)


Edited by pottii, 17 December 2016 - 04:28 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:03 AM

Posted 17 December 2016 - 04:44 PM

:welcome: to Bleeping Computer.

 

RKill is a specialized tool created by Grinler (aka Lawrence Abrams), the site owner of BleepingComputer primarily designed to terminate suspicious processes (not specific malware) and reset various registry configuration settings that prevent anti-malware and anti-virus tools from running. When RKill is able to terminate malicious processes and reset certain registry keys, that action usually allows other tools to perform scans and clean up routines to remove the infection. Some of these settings include incorrect EXE, .COM, & .BAT file associations in the Windows Registry if changed by malware or a legit program.

In addition to terminating common malicious processes, RKill (by design) always terminates Explorer whether you are clean or not and files running from certain locations.

  • Executable files running from a user profile or from any Temporary Internet file.
  • Executable files running from the Windows folder (%WinDir%) without a digital signature.

Programs should not be running from a temp folder or user profile which is meant to hold data, preferences, settings, and configuration files. Any executable under %WinDir% should be signed...there is no excuse for any program running from the Windows folder without being signed. Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from and the user profile %AppData%, %LocalAppData%, %ProgramData%, and %Temp% folders are common hiding places for malicious files.

RKill will display the first 20 valid entries in the HOSTS file which sometimes is altered (modified) by malware infection. Modification of this file does not necessarily mean your system is infected since some legitimate security programs and custom HOSTS files can also add numerous entries. RKill will also check the permissions on the HOSTS file and resets them if the administrator does not have proper permissions.

Since RKill is not designed to be a comprehensive malware removal tool, using it is not required in all situations. If you cannot run other security tools, a scan with Malwarebytes 3.0 or similar tool should be completed immediately after running RKill. If you are able to run other security tools without them terminating, there is no need to run RKill. However, if RKill is run separately without or after other security tools, it's log can provide useful information to help diagnose the presence of malware or report other issues as the developer added some basic enumeration to the tool for various infections.

For example, RKill includes Junction/Reparse point detection for ZeroaAccess detection. If found, the log will show: * ALERT: ZEROACCESS rootkit symptoms found! RKill provides Digital Signature Detection...it will scan various Windows files to determine if they are signed. If a signature is not detected on a file that should have one, RKill will report it. RKill will also provide a list of possible replacement files (noted by [Pos Repl] tag) for the file that failed the signature test. RKill provides Windows Service integrity checking and reports when certain necessary services are not running. RKill reports when certain policies are enabled that disabled Automatic Updates, System Restore, Windows Defender. RKill will remove any Proxy settings that are found when it is run and export the configuration to a registry file (rk-proxy.reg) saved on the desktop. Some types of malware can alter those settings which can affect the ability to browse, update and download programs required for disinfection. If the proxy is legitimate you can just double-click and import the registry file to restore your proxy settings.

[Missing Service] notations in the Checking Windows Service Integrity section when RKill is run on Windows 10 is a known glitch and has previously been reported.

If you have not done so, you may want to read this topic...RKill - What it does and What it Doesn't - A brief introduction to the program. The last few pages include reports about the missing services.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 pottii

pottii
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:03 PM

Posted 18 December 2016 - 11:29 AM

quietman7,

 

Thank you, both for welcoming me, and for your comprehensive post.

 

As I mentioned in the beginning, I am an IT/computer-newcomer, so I regret to inform you that I am not sure, that I understand your post completely at first glance - but I will take some time to sit down and read through everything you wrote me.

 

From what I understand from your post, I shouldn't be too worried about Windows Service Integrity, as you mention it to be a known glitch, or the Junction/Reparse point, as it didn't find any rootkit.

 

I will definitely go over your post again and try to understand your points, as well as go over the Rkill description topic, you linked at the bottom.

Once again, thank you so much for your help and time, I am very appreciative of you helping me! :-)

 

All the best



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:03 AM

Posted 18 December 2016 - 02:30 PM

You're welcome.

If you have any more questions about RKill, please post them in the RKill - What it does and What it Doesn't topic link above.

Usually when a computer is infected with malware there most likely will be obvious indications (signs of infection and malware symptoms) that something is wrong. If you experience such signs and symptoms, you can get individual assistance by starting a new topic in the Am I infected? What do I do? forum.

If you want a comprehensive check of your system by our team of experts, then more advanced tools are available but they cannot be used in this or the above forum. Just follow the instructions provided in the Malware Removal and Log Section Preparation Guide starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.
When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users