#691Grinler
Grinler
- Topic Starter
- Admin
- 45,244 posts
- ONLINE
Lawrence Abrams
- Gender:Male
- Location:USA
- Local time:03:21 AM
Posted 03 June 2013 - 01:18 PM
Version 2.5.3 of Rkill is released with some new command line arguments.
If you run rkill with the -s argument, it will run in silent mode. The only errors it will spit out are fatal errors, which should be rare.
The other option is the -l argument, which allows you to specify the logfile location you wish to use. When using the -l argument, you must specify the full path to the logfile. For example, rkill -l c:\rkill-logfile.txt
Last, but not least, the -h argument will print out a help file on what the available commands are.
Hopefully this update should help those IT/Enterprise Professionals who wish to customize the use of Rkill.
- Back to top
BC AdBot (Login to Remove)
- BleepingComputer.com
- Register to remove ads
#692Flaarg
Flaarg
- Members
- 51 posts
- OFFLINE
- Local time:03:21 AM
Posted 03 June 2013 - 10:16 PM
Could somebody help me read this log? I don't understand it.
Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 06/03/2013 09:57:03 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* No issues found.
Checking Windows Service Integrity:
* MSDTC [Missing Service]
Searching for Missing Digital Signatures:
* C:\WINDOWS\System32\drivers\mqac.sys [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqac.sys : 72,960 : 07/06/2007 00:52 AM : d92fce6729ee150a15a7cdbc433f390e [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB971032\SP2QFE\mqac.sys : 91,776 : 06/22/2009 00:30 AM : 9229e191fe206628be17d1e67a5faed9 [Pos Repl]
+-> C:\WINDOWS\ServicePackFiles\i386\mqac.sys : 92,544 : 04/13/2008 01:39 PM : 70c14f5cca5cf73f8a645c73a01d8726 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\mqac.sys : 91,776 : 06/22/2009 01:48 AM : eee50bf24caeedb515a8f3b22756d3bb [Pos Repl]
Checking HOSTS File:
* HOSTS file entries found:
127.0.0.1 localhost
Program finished at: 06/03/2013 09:58:01 PM
Execution time: 0 hours(s), 0 minute(s), and 58 seconds(s)
- Back to top
#693Grinler
Grinler
- Topic Starter
- Admin
- 45,244 posts
- ONLINE
Lawrence Abrams
- Gender:Male
- Location:USA
- Local time:03:21 AM
Posted 04 June 2013 - 03:30 PM
Checking Windows Service Integrity:
* MSDTC [Missing Service]
You are missing a Windows service. You can readd that service by download this registry file and double-clicking on it. When it asks if you wish to merge the data, please allow it to do so.
http://download.bleepingcomputer.com/win-services/xp/MSDTC.reg
This service should not be missing, so you may want to consider following these steps to get check of your computer.
Searching for Missing Digital Signatures:
* C:\WINDOWS\System32\drivers\mqac.sys [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqac.sys : 72,960 : 07/06/2007 00:52 AM : d92fce6729ee150a15a7cdbc433f390e [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB971032\SP2QFE\mqac.sys : 91,776 : 06/22/2009 00:30 AM : 9229e191fe206628be17d1e67a5faed9 [Pos Repl]
+-> C:\WINDOWS\ServicePackFiles\i386\mqac.sys : 92,544 : 04/13/2008 01:39 PM : 70c14f5cca5cf73f8a645c73a01d8726 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\mqac.sys : 91,776 : 06/22/2009 01:48 AM : eee50bf24caeedb515a8f3b22756d3bb [Pos Repl]
The Windows driver mqac.sys is not signed even though it should be. This could be due to the file be patched or replaced by another one. It should be replaced with the one located at C:\WINDOWS\system32\dllcache\mqac.sys
- Back to top
#694Flaarg
Flaarg
- Members
- 51 posts
- OFFLINE
- Local time:03:21 AM
Posted 04 June 2013 - 10:57 PM
Checking Windows Service Integrity:
* MSDTC [Missing Service]You are missing a Windows service. You can readd that service by download this registry file and double-clicking on it. When it asks if you wish to merge the data, please allow it to do so.
http://download.bleepingcomputer.com/win-services/xp/MSDTC.reg
This service should not be missing, so you may want to consider following these steps to get check of your computer.
Fixed. I'll check for viruses soon.
Searching for Missing Digital Signatures:
* C:\WINDOWS\System32\drivers\mqac.sys [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqac.sys : 72,960 : 07/06/2007 00:52 AM : d92fce6729ee150a15a7cdbc433f390e [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB971032\SP2QFE\mqac.sys : 91,776 : 06/22/2009 00:30 AM : 9229e191fe206628be17d1e67a5faed9 [Pos Repl]
+-> C:\WINDOWS\ServicePackFiles\i386\mqac.sys : 92,544 : 04/13/2008 01:39 PM : 70c14f5cca5cf73f8a645c73a01d8726 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\mqac.sys : 91,776 : 06/22/2009 01:48 AM : eee50bf24caeedb515a8f3b22756d3bb [Pos Repl]The Windows driver mqac.sys is not signed even though it should be. This could be due to the file be patched or replaced by another one. It should be replaced with the one located at C:\WINDOWS\system32\dllcache\mqac.sys
So you mean I just have to move that one in to the other folder right?
I also can't find the dllcache folder, is it hidden? I don't remember how to make hidden files visible.
- Back to top
#695Grinler
Grinler
- Topic Starter
- Admin
- 45,244 posts
- ONLINE
Lawrence Abrams
- Gender:Male
- Location:USA
- Local time:03:21 AM
Posted 05 June 2013 - 07:31 AM
So you mean I just have to move that one in to the other folder right?
I also can't find the dllcache folder, is it hidden? I don't remember how to make hidden files visible.
I suggest you follow these steps and have a malware removal team member analyze your computer:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Replacing a patched driver could cause issues if there are issues still present.
- Back to top
#696Grinler
Grinler
- Topic Starter
- Admin
- 45,244 posts
- ONLINE
Lawrence Abrams
- Gender:Male
- Location:USA
- Local time:03:21 AM
Posted 12 July 2013 - 02:30 PM
Rkill 2.5.5 just released.
Has much better detections for ZA file paths, better ZA reparse point detection, and for patched services will now list md5 sums on the found replacements.
- Back to top
#697Grinler
Grinler
- Topic Starter
- Admin
- 45,244 posts
- ONLINE
Lawrence Abrams
- Gender:Male
- Location:USA
- Local time:03:21 AM
Posted 17 July 2013 - 04:11 PM
Upgrade Rkill to 2.5.6.
I changed a how a certain subset of definitions go after known malware processes. This is going to be much more aggressive. Please let me know if it causes too many false positives.
- Back to top
#698Grinler
Grinler
- Topic Starter
- Admin
- 45,244 posts
- ONLINE
Lawrence Abrams
- Gender:Male
- Location:USA
- Local time:03:21 AM
Posted 19 July 2013 - 11:38 AM
Rkill 2.5.7 released.
This mode includes an indicator in the log as to whether or not the program was run in safe mode. Useful for email support or forums.
- Back to top
#699technomore
technomore
- Members
- 1 posts
- OFFLINE
- Local time:02:21 AM
Posted 26 July 2013 - 08:38 AM
rkill locates two services that we use
c:\windows\LTSVC\LTSVC.exe (PID: 1552) [WD-HEUR]
c:\windows\LTSvc\LTSvcMon.exe (PID: 2784) [WD-HEUR]
Can we add those to the exceptions?
For LabTech, our MSP monitoring.
- Back to top
#700Grinler
Grinler
- Topic Starter
- Admin
- 45,244 posts
- ONLINE
Lawrence Abrams
- Gender:Male
- Location:USA
- Local time:03:21 AM
Posted 26 July 2013 - 09:07 AM
At this time Rkill does not utilize a whitelist as it can be exploited by malware developers. In the future we may provide the ability for users to use their own whitelists and activate them via command line switch.
As for the LabTech software, if they are placing software under the Windows folder they really should digitally sign them.
- Back to top
#701Phen0m24
Phen0m24
- Members
- 2 posts
- OFFLINE
- Local time:04:21 AM
Posted 28 July 2013 - 05:59 AM
Grinler (Lawrence) I made an account just to come in and say thank you as I have used Rkill a number of times with great success.
I worked on an XP machine a few weeks ago that was afflicted with malware so nasty that I couldn't get Rkill to run. Fortunately there was a malware site that had paid the "bounty" if you will by paying off the malware and providing a login for it. Entering that data stopped the malware and then rkill worked.
Have you come across a similar scenario? Thanks again for all your work and for a fantastic tool!
Glenn
- Back to top
#702Grinler
Grinler
- Topic Starter
- Admin
- 45,244 posts
- ONLINE
Lawrence Abrams
- Gender:Male
- Location:USA
- Local time:03:21 AM
Posted 28 July 2013 - 08:25 AM
Did you try running Rkill renamed as Rkill.com? Do you remember the site or the infection?
- Back to top
#703Grinler
Grinler
- Topic Starter
- Admin
- 45,244 posts
- ONLINE
Lawrence Abrams
- Gender:Male
- Location:USA
- Local time:03:21 AM
Posted 31 July 2013 - 04:46 PM
Version 2.5.8 Released.
This version contains an update to detect the latest version of the ZeroAccess rootkit. This rootkit now masquerades as Google Update and includes unicode characters in the filenames to make it more difficult to remove.
More info about this variant can be found here:
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1713&start=410#p20271
- Back to top
#704Phen0m24
Phen0m24
- Members
- 2 posts
- OFFLINE
- Local time:04:21 AM
Posted 01 August 2013 - 05:20 AM
Did you try running Rkill renamed as Rkill.com? Do you remember the site or the infection?
Good morning Lawrence - I will try to get the exact name but it was a command center (Braviax-looking) clone. I tried to run rkill in multiple forms - but they would stop immediately. There was a malware site that provided a login in order to stop it, and at that point I was able to run rkill and start the clean-up process. (will check back with the client but no promises - they may have forgotten)
Thanks again
- Back to top
#705Grinler
Grinler
- Topic Starter
- Admin
- 45,244 posts
- ONLINE
Lawrence Abrams
- Gender:Male
- Location:USA
- Local time:03:21 AM
Posted 02 August 2013 - 11:20 AM
Rkill 2.5.9 has been released. This version adds a new white listing component for IT, Consultants, and Enterprise support who are finding some of their remote support or other applications are being terminated by Rkill. Using this feature you can specify a custom white list file that contains a list of processes that should not be terminated.
When creating this file it must be saved in either ANSI or UTF-8. The file should consist of a list of processes with each process being on their own line. Each process you want to whitelist must also be listed using the full path such as C:\Windows\System32\App1.exe. You can specify the whitelist file using the -w command line argument. Please note, there is no need to enclose paths with spaces in quotes. In fact quotes will cause the files not to be properly matched.
An example command to start rkill using a whitelist is:
rkill -w c:\users\user\desktop\wl.txt
When giving the name of the white list, you can also use some variables to make it easier. These are:
%SystemDrive% - This will expand to the drive letter that Windows is installed. Typically expanding to C:.
%WinDir% - Expands to the folder where Windows is installed. IE: C:\Windows
%System% - Expands to the System32 folder in Windows. IE: C:\Windows\System32
%Desktop% - Expands to the desktop folder for the currently logged in user.
%UserProfile% - Expands to the UserProfile folder.
%AllUsersProfile% - Expands to the All Users Profile folder.
An example whitelist file is as simple as:
c:\windows\app1.exec:\remote.exe"c:\program files\test.exe"
When you run Rkill using a whitelist, it will state that White List mode is enabled and then display the logfile. If there are any issues with your white list file it will alert you. Last, but not least, is you use a whitelist, rkill will display a list of processes that matched the contents of your whitelist and that were ignored.
Hope this new feature helps.
- Back to top