PDA

View Full Version : Malware Process Terminator and Anti-Malware Assistant


Galdorf
01-09-2010, 01:52 AM
This is a useful tool i use it alot with fake av's esp security tool to allow me to run process explorer, autoruns, malwarebytes and sybotsd.

Malware Process Terminator and Anti-Malware Assistant.

Rkill is a free download from BleepingComputer.com and available in different file extensions:

* rkill.exe rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
* rkill.com rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
* rkill.scr rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
* rkill.pif rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)

One neat trick i have learned and seems to work 99% of the time is to rename rkill.exe explorer.exe then run it a few times it will terminate the rogue processes.


Rkill is created by Microsoft MVP Lawrence Abrams also known as Grinler in several security forums of BleepingComputer.com

Alan22
01-09-2010, 02:51 AM
Nice, thanks for the post. I'm putting this into my little bag of tricks. I've been getting so many calls about fake av's lately.

Methical
01-09-2010, 04:13 AM
Thanks for that.. BleepingComputer has quite a few nice tools published. Problem is digging them up :)

hondablaster
01-09-2010, 04:55 AM
Its funny you posted this right now. Im at a party (right now, I know geeky right) and I was asked to fix a laptop that "had a virus" which it did it was a rouge anti virus. (Antivirus Live)

After fighting it using my standard methods. I used a different guide for manual removal which consisted of running rkill.com WORKED FLAWLESSLY now I have an updated malwarebytes doing a scan and enjoying the party!

I think the timing of your post is perfect!!!! :) Great tool!

NYJimbo
01-09-2010, 05:51 AM
(Antivirus Live)


I love that virus. I make so much money doing 5 regedit changes and rebooting. :D

dannyict
01-09-2010, 06:36 AM
NYJimbo care to tell us with ones?

iisjman07
01-09-2010, 07:23 AM
Added to my ketarin script, I wonder how often it's updated

Keegan
01-09-2010, 11:22 AM
NYJimbo care to tell us with ones?


Associated Antivirus Live Files:

%UserProfile%\Local Settings\Application Data\<random>\
%UserProfile%\Local Settings\Application Data\<random>\<random>sysguard.exe



Associated Antivirus Live Windows Registry Information:

HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Attachments "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run "<random>"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run "<random>"

from: http://www.bleepingcomputer.com/virus-removal/remove-antivirus-live

Jim Perth
01-09-2010, 04:15 PM
Thanks for posting that. A very handy little tool indeed

Kenhelms
01-11-2010, 08:52 PM
Yes, Antivirus Live makes some serious money.

Just remember that often times you have to change the proxy settings for explorer as well. About 90% of the time it seems to set it up. After removal it blocks the internet. Edit- Just read the page on bleeping computer, and see its on there, but just incase someone is like me and does not go thru the link Ill leave it up.

Thanks for the post!
By the way, make sure you guys disable your antivirus when you download it, it seems like most of them get a false positive from it.

tekgeek
01-12-2010, 02:08 AM
this is funny I was dealing with this exact problem with a customer
and was on the phone with the client and connected remotely from
crossloop

I was looking for a way to get process explorer installed and was checking
this site for the location (remotely) and here directly and found this
thread....

well I was a bit busy trying to fix the clients issue to read this thread
I just left it open to read it later.... after lots of fussing with the computer
and getting it working again I hung up with her and read this article
giving me a better way to do what I just spent a slow connected few
hours doing

Methical
01-12-2010, 09:50 AM
Cheers mate, Nice find. Adding to Ketarin

Is there a homepage for this product for further reading ? I know its creating by an MVP from BleepingComputer.com. I did a google for some info on it, found some on a few blogs, but thought that there might be an official homepage buried in BleepingComputer somewhere.

steve51
01-12-2010, 10:22 AM
Many thanks for yet another very useful tool, I am seeing more and more of these fake av's/rogue spyware so anything that speeds up the removal is a big help.

kdyer
01-13-2010, 05:31 PM
Cheers mate, Nice find. Adding to Ketarin

Is there a homepage for this product for further reading ? I know its creating by an MVP from BleepingComputer.com. I did a google for some info on it, found some on a few blogs, but thought that there might be an official homepage buried in BleepingComputer somewhere.

Methical,

Have a gander at: http://www.gmer.net/ as this goes in to more detail on what the rkill app does.

HTH,

Kent

arrow_runner
01-13-2010, 06:52 PM
In regards to Antivirus Live: Has anyone seen where it will rename an exe and then put an infected placeholder file there instead?

For example, the infection I saw yesterday had about 8 files like the following


realplay .exe (383k) - renamed, original file
realplay.exe (40k) - placeholder, malicious file

cmd. exe (93k) - renamed, original file
cmd.exe (40k) - placeholder, malicious file

You might want to check for that with your infections. This one seemed to be renaming an executable you ran. Luckily the computer was off after 3 minutes of first sign of infection.