New version of RKill issues...RESTART

[Plexx]

Has anyone used the new RKill version?

I attempted today whilst doing the special avast! review and the system was infected with more than one fake av.

Ran the new RKill version and it rebooted the system, but then the fake av's run again.

Older version of RKill would not restart the system.

Is it suppose to be like that?

Guess I will continue to use the old version of RKill for now or even MBAM Chameleon.

 

[Grinler]

Do you have a copy of the Rkill log that was generated or know the processes that were terminated?

I just released version 2.2 of Rkill that should resolve the issues of certain system files being terminated in certain situations. There is a good chance the machine was infected with ZeroAccess, which caused Rkill to kill services.exe. That was probably what triggered the reboot.

The new version has resolved that issue.

As always if there are any questions regarding the use of Rkill, please let me know here:

http://www.bleepingcomputer.com/forums/topic308364.html

 

[Jack]

I just released version 2.2 of Rkill that should resolve the issues of certain system files being terminated in certain situations. There is a good chance the machine was infected with ZeroAccess, which caused Rkill to kill services.exe. That was probably what triggered the reboot.

The new version has resolved that issue.

Indeed. I have also seen a few cases in which users were alerted that their computer will be restarted after this compromised service was killed.....
Rkill is a great tool and all I can say is thanks and keep up the great job!

 

[Plexx]

Do you have a copy of the Rkill log that was generated or know the processes that were terminated?

I just released version 2.2 of Rkill that should resolve the issues of certain system files being terminated in certain situations. There is a good chance the machine was infected with ZeroAccess, which caused Rkill to kill services.exe. That was probably what triggered the reboot.

The new version has resolved that issue.

As always if there are any questions regarding the use of Rkill, please let me know here:

http://www.bleepingcomputer.com/forums/topic308364.html

Unfortunately I do not have a copy of the logs but there is the information available in one of my videos. This is the video: http://www.youtube.com/watch?v=7u3QaXX8Zp0

System was infected with Zeroacess so services.exe was infected.

So the new version of RKill will not restart the system upon ending the processes?

Once again, thanks for the clarification and for keeping up such good software.

 

[Deleted member 178]

Bioz,

Maybe you should rename this thread (ex: Rkill support thread" or similar so our friend Grinler can post here when he will release a new version, or give some advices/help.

 

[Grinler]

So the new version of RKill will not restart the system upon ending the processes?

The new version won't terminate system processes that when terminated cause Windows to reboot. Instead you will be shown later on in the log that the file is possibly patched.

An example of a log with ZA:

Rkill 2.2.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/17/2012 12:16:09 PM in x64 mode.
Windows Version: Windows 7

Checking for Windows services to stop.

 * No malware services found to stop.

Checking for processes to terminate.

 * No malware processes found to kill.

Possibly Patched Files.

 * C:\Windows\system32\services.exe

Checking Registry for malware related settings.

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

 * ALERT: ZEROACCESS rootkit symptoms found!

     * HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\ [ZA Dir]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\L\ [ZA Dir]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\L\00000004.@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\n [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\ [ZA Dir]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\00000004.@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\00000008.@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\000000cb.@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\80000000.@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\80000032.@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\80000064.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\ [ZA Dir]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\L\ [ZA Dir]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\L\00000004.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\L\201d3dde [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\n [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\ [ZA Dir]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\00000004.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\00000008.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\000000cb.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\80000000.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\80000032.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\80000064.@ [ZA File]
     * C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
     * C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

Checking Windows Service Integrity: 

 * BFE [Missing Service]
 * BITS [Missing Service]
 * iphlpsvc [Missing Service]
 * MpsSvc [Missing Service]
 * WatAdminSvc [Missing Service]
 * WinDefend [Missing Service]
 * wscsvc [Missing Service]
 * wuauserv [Missing Service]
 * SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures: 

 * C:\Windows\System32\services.exe [NoSig]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe : 328,704 : 07/13/2009 09:39 PM : 24acb7e5be595468e3b9aa488b9b4fcb [Pos Repl]

Program finished at: 08/17/2012 12:16:12 PM
Execution time: 0 hours(s), 0 minute(s), and 2 seconds(s)