Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RKILL log question


  • Please log in to reply
15 replies to this topic

#1 Vantezzle

Vantezzle

  • Members
  • 26 posts
  • OFFLINE
  •  

Posted 08 May 2018 - 07:47 AM

Hi, I've wanted to do my monthly scan and RKILL showed something that never happened before..

 

Rkill 2.9.1 by Lawrence Abrams (Grinler)
Copyright 2008-2018 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 05/08/2018 02:42:02 PM in x64 mode.
Windows Version: Windows 10 Home 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
 * Reparse Point/Junctions Found (Most likely legitimate)!
 
     * C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 => C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\IE [Dir]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 05/08/2018 02:42:14 PM
Execution time: 0 hours(s), 0 minute(s), and 11 seconds(s)
 
 
That's the log and 
" * Reparse Point/Junctions Found (Most likely legitimate)!
 
     * C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 => C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\IE [Dir]
"
Never happened before...Am I infected?


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:04 PM

Posted 08 May 2018 - 09:27 PM

RKill includes Reparse Point/Junctions for detection of ZeroAccess rootkit and other malware. However, the presence of Reparse Point/Junctions is not automatically indicative of infection which is way it typically will say "Reparse Point/Junctions Found (Most likely legitimate)!".Usually when a computer is infected with malware there most likely will be obvious indications (signs of infection and malware symptoms) that something is wrong.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Vantezzle

Vantezzle
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  

Posted 09 May 2018 - 05:15 AM

So i'm safe?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:04 PM

Posted 09 May 2018 - 06:07 AM

We can only go by what any actual scan logs show (what was detected, removed) and your description of whatever issues may be going on or any symptoms of infection you are experiencing. Usually when a computer is infected with malware there most likely will be obvious indications (signs of infection and malware symptoms) that something is wrong.

If you want a more comprehensive look at your system for possible malware by our experts, there are advanced tools which can be used to investigate but they are not permitted in this forum. Please follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.

If you choose to post a log, please reply back in this thread with a link to the new topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Vantezzle

Vantezzle
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  

Posted 09 May 2018 - 06:19 AM

I don't see any symptoms except that thing in Rkill..And yesterday's scans with AdwCleaner, Bitdefender Total Security and MalwareBytes all came up clean.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:04 PM

Posted 09 May 2018 - 06:24 AM

Download and runCCleaner Portable to clear out your Internet cache, reboot and run RKill again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Vantezzle

Vantezzle
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  

Posted 09 May 2018 - 06:31 AM

Got a "Windows SmartScreen can’t be reached right now" when I tried to run it..



#8 Vantezzle

Vantezzle
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  

Posted 09 May 2018 - 06:42 AM

Right, managed to do what you said but the RKILL entry's still there.



#9 Vantezzle

Vantezzle
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  

Posted 09 May 2018 - 06:46 AM

Wait.."In September 2017, CCleaner v5.33 (32-bit Windows) was compromised with the Floxif trojan that could install a backdoor " Did you just infect my PC!?



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:04 PM

Posted 09 May 2018 - 07:02 AM

Wait.."In September 2017, CCleaner v5.33 (32-bit Windows) was compromised with the Floxif trojan that could install a backdoor " Did you just infect my PC!?

That is old news from last year for 32-bit Windows users and the problem was resolved.

Threat actor compromised CCleaner infrastructure

Piriform acknowledged the incident in a blog post today. The company said they found the malware in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191.

On September 13, Piriform released CCleaner 5.34 and pushed an update (v1.07.3214) to CCleaner Cloud users that do not contain the malicious code.


CCleaner v5.42.6495 is the current version and was released 04/23/18.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Vantezzle

Vantezzle
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  

Posted 09 May 2018 - 07:07 AM

Right, sorry..Well it didn't fix the RKILL entry.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:04 PM

Posted 09 May 2018 - 07:09 AM

Then you will need to follow the instructions in Post #4 for a more comprehensive look at your system.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Vantezzle

Vantezzle
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  

Posted 09 May 2018 - 07:11 AM

Is this necessary?Perhaps that entry is normal?I don't see any symptoms.



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:04 PM

Posted 09 May 2018 - 07:17 AM

It is necessary if you are concerned about the entry. I don't have enough information about it and I don't like to speculate.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Vantezzle

Vantezzle
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  

Posted 09 May 2018 - 07:18 AM

I think I'm going to leave it..It's probably legitimate.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users