Rkill – Repair Tool of the Week

The malware world is changing. It’s getting smarter.
In fact, some infections will detect that you have launched an anti-malware tool such as MalwareBytes and close it down as soon as you open it, which makes your job much harder. This is the exact situation Rkill is designed for.

Rkill is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools. Rkill is made by a Microsoft MVP “Lawrence Abrams” and is available in 4 different extensions. An .EXE, .COM, .SCR and a .PIF file.
The reason why Rkill comes in 4 different versions is because some malware will block .EXE files in an attempt to prevent you from running other malware removal tools, so this gets around that problem.

I tested this tool on a virtual machine which I had infected with a fake antivirus and Rkill killed the malicious processes without any problems. Of course, I then had to delete the malicious files manually as this is not a malware removal tool, but a malware process killing tool. It just stops the malware from running right now, allowing you work your computer technician magic.

Edit: Looks like we are lucky enough to have the creator of this, Lawrence Abrams with us to explain what Rkill does in greater detail.

First, the program was designed for the use in my malware removal guides so that I can have a tool that is easy to use and kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that we can use the normal anti-malware program to their job.

So in summary rkill just kills processes, imports a reg file that restores HKEY_CLASSES_ROOT\exefile\shell\open\command, removes policies that disable regedit, taskmgr, hides your desktop icons, etc, and removes a key used by a malware protection process. Then it kills explorer so it will restart and enable some of the reg changes. Other than what is listed above, it does nothing else. It does not create a report, because this tool was not made to be fancy but made made to help novice users remove malware through my guides. Maybe in the future I will include a report of what it has killed. It is not a priority though right now.

His comment number is #21 for the full information.

Additionally, due to time restraints the creator of it cannot support RKill on any site other than his site BleepingComputer. Its just too difficult to support multiple topics on multiple sites at the same time. So, he has created a single forum thread on his site for supporting RKill. If you need any Rkill support, please visit this thread. Comments will be closed here on Technibble.

Screenshots:

RKill


Downloads:

rkill.exe – Download from BleepingComputer.com – 257kb

Special thanks to the Technibble forum member Galdorf for recommending this one.



Comments (133)

  • Joe Spaventa says:

    This looks like a very usefull tool. I cannot wait to test it out! Thanks for the upload!!

  • Andy says:

    This is just what I needed for the Security Tool and Antivirus 2009 malware that commonly infects computers, which prevents you from running and/or installing and AV software. Hope it works :)

  • joe says:

    rkill.pif download triggers an antivirus response.

    Comments please.

  • shawn says:

    Sonicwall Gateway Antivirus flags these downloads as a Trojan..

  • Codah NiNi says:

    False positive. It’s just because of how the program works.

  • joe says:

    Mr Whitty,

    Can you vouch for these programs and assure us that these are false positives. Your input would be quite valuable.
    Thank you.

  • Jim Boyd says:

    I dont trust anything that kills processes without giving me a list of exactly what if has found and shutdown. This thing just does its thing and leaves you completely in the dark.

    It also does a number on any software if find that stores activation information/serials in a .dll like battery bar and certain Adobe products….and yes these were LEGIT installs.

  • shawn says:

    Agreed. The user should have more control over what it is doing, or at least have more of a report.

  • Bryce W says:

    Virus total report: http://www.virustotal.com/analisis/1f3ba67a7af7732dca5ea3829810859010335d2f2ff4981903382131e1caac93-1263500748

    Look at the threat names of the few that report it “FakeAlert” and “LooksLike.win32.trojan”.

    I tested this on my virtual machine and it did as it says on the box. As you guys have said though, a report would be nice.

    Some technicians have been using it on the forums too: http://www.technibble.com/forums/showthread.php?t=12371

    While this application doesnt have it own site, it is from BleepingComputer which is one of the most trusted virus removal forums out there. Its not hard to make a pretty site for an application, but it is hard to be backed by such a respected site.

    Still, If you don’t feel comfortable using it, don’t use it. Its your choice.

  • Jim Boyd says:

    At best this thing should only be used in a last resort scenario…unless you just like running through mine fields blindfolded….

    BleepingComputer is no more reputable than any other public forum and as such they do recommend a stinker now an then….this is one of them

  • Chad F says:

    Rkill works like a charm when nothing else was working… had 2 different PCs I cleaned for friends this weekend that both had Internet Security 2010… Only way I could get to the cleaning process was to first run rkill.com (I tried the rkill.exe but it didn’t show anything…virus was blocking it…also task manager was disabled and even with registry trick couldn’t take back control of it…it was truly nasty)

    Anyways, I’ve added Rkill to my thumb drive toolkit as it’s now a must have for me to get rid of the newer spyware/malware…

    Oh and Jim Boyd, why all the hate for Rkill? You just seem to be trying to tell everyone how evil Rkill is, but in fact it’s extremely helpful to the people that have to deal with spyware infected PCs on a day to day basis…

  • Tech.31003 says:

    Just like Chad F, I have recently used rkill.exe to remove Security Tool from 3 different computers: (1) a friend’s, (2) my sister’s, and (3) my brother-in-law’s.

    I booted the computers in safe mode, ran rkill.exe, installed and ran Malwarebytes, and manually checked for any Security Tool related items. I found this tool very valuable.

    Perhaps the reason why it triggers antivirus responses is because it “kills processes” – same behavior that most malware possesses.

  • Dan says:

    I had cause to use this for the first time just this week. Does what it says on the tin, and helped me out with getting rid of “Personal Security”.

    Like others, I agree that v2 could do with some sort of report though…

  • Tom Sparks says:

    But aren’t we talking about just a temporary process kill that gives the technician the opportunity to remove the virus? If it had accidentally terminated something it shouldn’t have wouldn’t that be restored at reboot? It seems that this would calm the concerns mentioned here. Am I correct in these assumptions?

  • joe says:

    Mr Whitty, Thank you for your input.

    It cleared up any questions.

  • tekgeek says:

    tom sparks you are correct there….

    its just killing the process like you would close any program down and
    doing a reboot will bring it back up

    doing a Ctrl-Alt-Del will bring up
    the windows task manager where you
    can view processes and click the
    little button at the bottom and end
    any process which is the same thing

    most of the people here that are complaining act like killing it is like uninstalling or deleting the file

    maybe it should have been named
    rEND.exe to keep people from getting
    all excited about it

  • V says:

    Like Chad F says This program works great. I had to remove the Antivirus 2010 malware from someones machine and I did use rkill. Antivirus 2010 now digs deeper into your machine and makes you think everything is a virus. Once the malware is running it flags even the smallest programs as a virus. I was going to try to take screen shots on the infected computer to show people what they had but the malware even flagged the MS Paint program as a virus. Once rKill did it’s job I could proceed with the removal be it manually or with a program such as malwarebytes.

    Some notes, like another user stated any process this program does kill gets restarted on next bootup. Even if it kills a process you do not want killed it should not matter during malware removal as the point is to be able to clean the machine not to use it at that time.

    One thing about rKill though and is stated in instructions I read somewhere Antivirus 2010 and others may flag it as a virus, this warning is from the malware not your real antivirus in most cases and if from your real antiviurs is most likely a false positive.

    You get the warning about rKill because the malware don’t want you to use it to kill the malware processes, if you do get a warning rKill will be shut down. Just ignore any messages and run rKill again and again until it kills all necessary processes and ends on it’s own successfully.

    As a final note. I have done 2 machines with the same issue using rKill and malwarebytes, both machines were done 4 to 6 weeks ago, encouraged the owners to purchase the pro version of malwarebytes, both machines are working just fine and have not been reinfected.

    Yes I was a bit worried to test rKill but at the time it was a risk worth taking. Glad I did.

  • V says:

    Let me make a small edit to my last post. When I spoke of Antivirus 2010 I ment to say Antivirus System Pro not that there is much difference in the two but there is a difference.

    Just thought I would bring it up my self instead of someone crushing me for a momentary memory coffee break.

  • bob says:

    this one is kinda strange, you don’t know what it is doing. I feel it’s ok to use on my personal computer but what about a customer’s computer?

    But I guess when a customer comes in and their pc is totally messed up with malware they just want it fixed. Sometimes it’s so bad I just call and tell them it’s better to reformat the drive and reinstall windows, so before I do that I can run Rkill.

  • bob says:

    what I’m saying is I guess it can’t do anymore harm.

  • Hi All,

    My name is Lawrence Abrams and I am the creator of the rkill tool and the owner of BleepingComputer.com. I was notified of this article and wanted to give some information about the tool and clear up some wrong information being provided by a certain commenter.

    First, the program was designed for the use in my malware removal guides so that I can have a tool that is easy to use and kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that we can use the normal anti-malware program to their job.

    So in summary rkill just kills processes, imports a reg file that restores HKEY_CLASSES_ROOT\exefile\shell\open\command, removes policies that disable regedit, taskmgr, hides your desktop icons, etc, and removes a key used by a malware protection process. Then it kills explorer so it will restart and enable some of the reg changes. Other than what is listed above, it does nothing else. It does not create a report, because this tool was not made to be fancy but made made to help novice users remove malware through my guides. Maybe in the future I will include a report of what it has killed. It is not a priority though right now.

    Now let us discuss the comments left by Jim Boyd, who seems to have taken a strong dislike to this tool for some reason:

    1. “It also does a number on any software if find that stores activation information/serials in a .dll like battery bar and certain Adobe products….and yes these were LEGIT installs.”

    This is entirely inaccurate. As stated, this program only kills processes. It used to delete specific Windows Police Pro malware files, but I had removed that. If a process is terminated by rkill as an FP, then a reboot will fix it. Not sure where his claims stem from, but they are false.

    2. “At best this thing should only be used in a last resort scenario…unless you just like running through mine fields blindfolded…. BleepingComputer is no more reputable than any other public forum and as such they do recommend a stinker now an then….this is one of them”

    Not sure how terminating processes that wil be started again on a reboot is running through a mine field. I think you need to do a little more due dilligence on a program before making such comments. As for BleepingComputer.com, which is much more than just forums, myself and the staff at BleepingComputer.com work incredibly hard to give our users safe and reliable information on how to fix problems and secure their computers. We monitor the forums so that there are no hot links to malware, remove email addresses that users post, and provide warnings when people instruct members to perform acts that could be deemed risky. So, yes I think the BleepingComputer.com forums are very reputable and I will stand behind that statement in every way. Regardless, this tool is not promoted in the forums. Its primary use is in the malware removal guides which are not publicly posted by our members, but at this time, only me.

    As for why it was called rkill, well the app was designed to kill rogue processes and the malware that protects them.

    Hope this clears up any misconceptions that people may have had or that have been promoted via certain commenters.

    Lawrence Abrams (Grinler)
    BleepingComputer.com
    http://www.bleepingcomputer.com/

  • bob says:

    when I ran it my screen went black for a few seconds. I don’t mind using us on my own pc but a little uneasy to use it on a customer’s pc.

    I wish it would tell us what processes it’s killing.

  • Yesterday, I had posted a detailed explanation as to what Rkill does, why it is named what it is, etc. For some reason that comment has not been approved at the time of this writing (1/17/10 8:36 PM EST). I also sent an email to news@technibble.com asking about this but received an error stating that the email does not exist. If my previous comment is approved then you will know exactly what rkill does.

    As for your statements Jim Boyd:

    “And for the record…I have a PHD in Computer forensics and that more than qualifies me to comment on this thing.”

    If what you say is true then you should be able to see that rkill in fact has no possible way to affect any of the programs installed on your computer. It does not delete anything, though it had at one point killed some windows police pro files, fixes some basic reg keys, and terminates processes. Rebooting will resolve any issues that occur from running the program. So your statement that rkill affects programs is entirely false.

    “Frankly, Im shocked Bryce allows this name calling rubbish to remain on this site…definitely NOT a good reflection on his professionalism either..”

    The fact that you make entirely false statements is not a good reflection on your either.

    I hope that the staff of Technibble will approve my previous comment so you can find out exactly what rkill does and so I can provide accurate information for the tool.

    Lawrence Abrams
    BleepingComputer.com

  • mindydee113 says:

    does rkill install anything else onto your computer along with it? i had a nasty malware i had a hard time getting rid of. i came across a bleepingcomputer site with instructions how to get rid of problem. this was so very helpful and did the trick. this is how i came across info about rkill. i am grateful to have found out about it. i am what you would call a tech novice and the rkill and bleepingcomputer instructions are what someone like me needed to take care of problem and save money. i do not want to have to pay somebody else every time a virus pops up. my only question is this, after the virus was gone there is two shortcuts left over on my desktop. one is called “pev.exe” and the other is “ncmd.cfxxe”. i have no idea what these are and am coming up short in researching them. did rkill put them there when i downloaded it, or could it be left over from the virus? help, anybody? thanks!

  • MindyDee, those 3 files can be deleted. They were extracted by the program when it runs, and as the rogue terminated it, they were left behind. Now that your infection is gone, you can just run rkill again to delete the files or delete them manually.

  • ing10 says:

    Got the same problem as mindydee113 BUT rkill in safe mode network not working, and in safe mode the black little window comes up and then quickly disappears, then nothing…. From my usb key; copy rkill.com to safe mode desktop, for a second three icons left on desktop comes up (pev.exe, ncmd.cfxxe and rkill with blue bubbles) but disappear in 2 sec. Why? And then my screen jumps to the previous black screen safe mode ( with no icons on there) and warning comes up saying “Windows running in safe mode….. and if I want to proceed to work in Safe Mode click yes. If you prefer to use SYSTEM RESTORE to restore your computer to previous state click No.” When I answer no, I go back to safe mode desktop and if I quickly double click rkill.com again, then click “bubble” rkill icon, then it comes up if I want to Add rkill.reg to the Registry? Why is it not working? Struggling since yday to get Antivirus Live off my laptop. Any suggestions please?!? Should I move-on to Malewarebytes… link?

  • Jim Boyd says:

    I see that dispite Bryce’s best efforts….children still make it through the cracks.

  • Jim Boyd says:

    How sad that sites like this get ruined by illiterates who lack the creativity and intelligence to respond to anything with the need to resort to school yard name calling…

  • ing10, exe stopping malware will attempt to terminate rkill. When this happens the black window will appear for a second or two before it is killed by the malware. In situations like this you need to just keep running rkill over and over till it finally catches and the malware can’t stop it fast enough. It should then run and kill the malware process allowing you to run your traditional anti-malware program.

  • Róisín says:

    Hi Lawrence,

    Your input is very much appreciated – I’m finding it very helping. I do have one quick question. When I run rkill, a pop up box appears that tells “Can not create some of your include files. pev.exe. Continue” I’d really appreciate any help. Also, don’t know if you’re aware but rkill, in Irish Gaelic, sounds like the word for “graveyard”. Kinda apt, I think! :)

  • Hi Róisín, I did not know that about the Irish Gaelic translation, but do like it :)

    When you run it, make sure you running it in a location you have perms to create files. It will extract 3 files when it runs, so it needs write permissions to that folder.

  • V says:

    Lawrence, as stated eariler I successfully used your tool but since there is not a lot of information can you please clear up one thing for me and the rest of us? Is this a program that will need a new version on a regular basis or once we have it will it be something we should just hold onto as is?

    Thanks

  • Nerds says:

    Wow! Hey Jim can’t you take a positive view on this. They are nice enough to publish a ” HELPER ” tool and you are acting as if you paid money for it. Go back to offering DBAN as a solution and leave the work to those of us that want a real solution.

  • V, this is updated almost every day. Whenever a new rogues or malware that stops us from running our security programs is released I update the rkill program.

  • Lechuga says:

    Hi I’m having the same problem as ing10. When I run the program I can see three shortcuts appear on my desktop and then it immediately exits and tells me about safe-mode and whatnot. I’ve been trying to run the program over and over but every time it is killed. I know this is probably and idiotic question but when the thing about safe-mode appears does it matter if I click yes or no? When I click no Windows brings up some system restore thing. I have no idea what I’m doing so any help would be appreciated. Thanks!

  • Not sure what you mean by safe mode. There is nothing in the tool that states safe mode.

  • smook_da_only says:

    Lawrence, thanks for rkill. I was infected by Antivirus Live two days ago, and I think it’s now completely fixed. It should be clear to just about everyone that “Jim Boyd” has no idea what he’s talking about.

    Also, Lechuga’s comment above means that, when you run rkill in safe mode, as soon as it finishes, it seems to quickly reboot directly back into safe mode, and then a message appears saying “Windows running in safe mode…want to proceed to work in Safe Mode click yes. If you prefer to use SYSTEM RESTORE to restore your computer to previous state click No.”

    I clicked yes everytime, and I ran rkill about 6-7 times, just to be sure. Then I ran a Malwarebytes scan three times. Everything seems to be running fine now. Much appreciated.

  • Heather says:

    I am trying to run rkill before I run Malwarebytes. My computer is in safe mode. About how long does it take for rkill run?

  • Rkill should take about a 1 minute or 2 to run. If a malware kills it, it will run for a second.

    About safe mode, the reason that message pops up is that explorer is being killed at the end of rkill. Windows will restart explorer and display that message.

  • John says:

    So, I have a quick question. How long should Rkill take to run? Mine has been up for at least 10 minutes now. Does that mean I need to close it and run it again because it didn’t get all processes? Or should I just leave it until it is “done”? I haven’t seen a done message and I don’t know if it even shows a “done” message. How do you know when it’s finished as mine seems to never go away.

    Thanks! This seems like a really neat and quick program.

  • John says:

    Oh, and I just saw the post above saying it should take a minute or two to run, but what do you do if it’s been running longer? Just let it go? Or close it and run it again?

    Thanks!

  • rally says:

    I have the same question as John — if rkill has been running for a good 15 minutes and still doesn’t turn off on its own, what should I do?
    Thanks!

  • Stephanie says:

    Before running Malwarebytes I ran the rkill aplication. Which worked perfectly. After about a min all the popups disappeared. After about 10 mins of running Malwarebytes my laptop shut itself down. I received a warning saying “This shutdown was initiated by NT AUTHORITY\SYSTEM….”. After turning my laptop back on and restarting the entire process,when trying to run rkill I received the “application can not be executed.The file is infected. Please activate your antivirus software” message, which would close it.I was wondering if there is any way around this error?

  • Ron Bruce says:

    Somehow I ended up with a Malwawre program that constantly kept directing me to a Website to purchase Internet Security 2010, which I never did. It claimed that my computer was infected with Virus and Malware. It also keep asking me if I want to compress my Outlook Express email messages to save Disc space. Since I don’t use Outlook Express and my hard drive was only 1/4th full, I knew that was a trick to gain control over my email addresses.

    The other problems I ran into was that my Malware remover, “Spyware Dectector 2010″ keep showing a window saying that my last scan was not completed, start over. This would put me in an endless loop and nothing was ever deleted. Also, my Norton 360 was not working and wouldn’t allow me to access it. Live Chat with the Techs at Spyware Detector helped me to get it working correctly with a new DL and updated DB, but it still couldn’t get rid or 3 certain Malwares, until I DL “Rkill.pif” and ran it. On a re-boot, I had no more malwares or aledged virsus. Now, if I get my Norton 360 fixed I should be okay. Thanks to Lawrence Abrams for such a little program to help me fix big problems.

  • John/Rally, if its still open for 15 minutes then you should just close the window. Wont cause any harm.

  • Paul says:

    ” imports a reg file that restores HKEY_CLASSES_ROOT\exefile\shell\open\command, removes policies that disable regedit, taskmgr, hides your desktop icons, etc”

    Makes it worth every penny. :)

    Personally, I always boot from a live CD (UBCD4Win) and manually check the registry for infections (startup, userinit, shell, etc), remove temp files, and scan system folders for bad guys (just sort by date and look for most recently modified files and check em out). Also check out AppData folders and program files and delete known trojan entries.

    After that you should be able to boot to SM and install MBAM, etc..

  • LJ says:

    Spyware is the scourge of the computing world. Rkill terminates the running processes, letting you run Malwarebytes or SAS to remove the infection.

    It’s quick, it’s easy and it works!

    Thanks Lawrence Abrams you and BleepingComputer.com are valuable and assets.

  • Merlyn says:

    I have tried to run rkill >200 times including opening it 20 times simultaneously, but I can’t get it to run. Any other tricks I can use? Thanks!

  • RealityChecker says:

    This tool rocks! I’ve been getting clients with the “Antivirus Live” infection: this vicious bug stops ALL programs from running except it’s $49.99 “cure” popups. Even in Safe Mode. It also blocks all internet access, so I could not even run my portable malware removers from my flash drive – even if I could find a way to get them to run.

    Used Rkill: ran combofix, then installed Malwarebytes to finish the clean-up. The B@st@rd is gone!

    Thanks!

  • Astargoth says:

    Lawrence,
    I first heard form this tool from bleepincomputer.com however it didn’t work the first time (Malwarebytes could not find any infected files). It wasn’t until I found this page that I learned that are actually four versions of rkill (bleeping computer only lits the .com version) and I was finally able to stop the infected process and remove it with malwarebytes.
    Overall the tool worked like a charm, but I could save some time if I had knew about all the different versions right away (now I’m keeping a copy of all four).

    Regards

  • Shane Fowler says:

    this program will not harm your computer. If you think it will then you need to look up the difference between a process and a program..there seems to be some confusion…lol

  • Just a heads up that I have changed the program significantly. I modified it so that it runs much quicker, from about 50 seconds to about 10.

    It also creates a log file as was requested by many users. Please note that the log file will show all processes terminated during the time that rkill is running, so if you close a program manually it will show in the list as well.

    Hope this helps!

  • Merlyn says:

    Where can we download the new files? Thanks for your hard work!

  • V says:

    Lawrence, Thanks for the reply about the tool being updated on a near daily basis. The tool works well and maybe for those that it does not work on maybe they have additional bad programs that rKill just does not know about yet therefor causing rKill not to work for them.

  • Dale Powell says:

    Glad I found this thread about rkill. I just heard about it and thought my toolbox was pretty complete already. I have to admit that I still like using live cds to compliment the programs in removing malware. With the live cd, they just stand out like a sore thumb and can’t hide. You know, the random or misspelled files with the recent date and no version info. When you are used to seeing what does belong, what doesn’t belong sure stands out.

    Thanks,
    Dale Powell
    http://spywarepreventionguy.com

  • Cherrie says:

    My mother is 71 years old and she told me all I have to do is follow the directions on websites when I have computer problems. I said I don’t mess with the computer monster. I usually just surf and write letters to the tenants. I am a computer dummy. Then the PC Protector infected our PC. About 7 months ago I paid over $100 to have it devirused and etcetera. I told my children I wasn’t paying again so I went on the computer found your info and how proud I am about getting rid of that virus. Thank you, thank you, thank you. It was so easy.

  • Jeff says:

    Lawrence, thank you for your active participation in this thread and for being responsive to users’ requests for more reporting. I’m convinced and now trying to download rkill, but none of the versions (exe, com, etc) will download. I had no problem downloading haxfix, just as a test. Is there a problem on your site that’s causing this?

  • Jason says:

    I think people need to stop complaining. Using a free software to get the job done, and complaining about the way it works. If you dont like how it gets the job done…Then dont use it.

  • Hey Jeff,

    Not sure why they are not downloading. Had no trouble when I just tried and had no reports of others having issues.

  • Mike says:

    Hello, after reading all the above, I am anxious to find out how to get rid of “personal security”, which just infected my laptop yesterday. I’m trying to follow the recommendations on this thread, as well as on bleepingcomputer.com, however I am unable to download rkill in any of its four forms. I receive a window to “run” or “save” it. When trying to run, they will appear to be downloading, but when asked to run again, it will just disappear. When trying to save, they again will give an option of choosing a folder to which to save them, and also give the appearance of saving, but then will show “0 discoveries”, and not save anything. I am left in the dark, and hoping you can help. Thanks.

    Mike

  • Mike says:

    Forgot one thing. I have gone to my desktop and saved the four rkill versions, as well as malwarebytes on a flash drive, but my laptop does not even recognize the flash drive when plugged in.

  • Mike says:

    Finally got the rkill to run, and this is how I did it. I had to reboot with the flash drive plugged in for my pc to recognize it. Once there, rkill still would not open or run, but would flash a window for a fraction of a second before disappearing, and then subsequently giving me an error when trying to open again. Even “Run as Administrator” did not work. Had to send to the desktop, even though I could not tell it was there because “personal security” had hidden all my icons. Next, I restarted my pc, and during the boot up process, it briefly showed my desktop icons before the “personal security” window showed up, and before it cleared off the desktop icons again. It took me a couple of tries, but I was able to quickly click on the rkill icon while it was there, and that finally began the run process. it did the job in stopping the “personal security”, and I was able to install the latest malwarebytes program (which I had actually downloaded onto the flash drive from my desktop), and I am running the scan now. God willing, this will find the program and flag it so I can delete it.

    Thanks so much to everyone and especially Larry for making this available to all of us. All I know is when I get the means . . . Mac here I come! (I run a Mac at work, and can’t wait to replace my pcs at home).

    Mike

  • Jeff says:

    I tried IE and FireFox, straight saves and 3 download managers. Had the same problem with all 4 rkill flavors until I tried using ReGet, which d/led them all no problem … I didn’t even have to reboot. Spooky — Cue Rod.
    Then, after all that, rkill found nothing running that it wanted to kill. According to some posts here, I might not have known that but for the report log you put in. Thanks for adding that.

  • Mike says:

    Woke up this morning and malwarebytes found 16 infections. Removed all, and everything seems fine. Thanks again.

    Mike

  • Mace says:

    I just used the pif version of this tool, and it killed the Antivirus Soft Malware instantaneously, and when it completed it’s task it popped up a window telling me what all it shutdown in the process. Very helpful tool indeed. Much Thanks

  • Jeanneen says:

    help!!! I have this malware on my desktop & I am not able to log onto my desktop even in safe mode. I am end this endless cirle where I click on username, it says it’s loading my personal settings & then logs me off that username. I have copied the rkill file to a flash drive from another computer, but I can’tget that loaded onto the desktop. Anybody have any suggestions?

  • Rol says:

    Try hitting F8 during boot up

  • Jonathan S says:

    Hi Lawrence,

    Thanks for creating this program, and for updating it to reflect user feedback. Mr. Boyd has every right to be cynical of the program however he seems to have forgotten you guys aren’t paid or asking people to pay for rkill, his casual dismissal of bleepingcomputer.com seems founded upon ignorance. He has every right not to use the program, nobody to my knowledge is force feeding it down his terminal.

    Working tech support at a major university reminds me that people with PhDs can at times get too pretentious for their own good.

  • Delia says:

    Rkill worked! YAY! Thank you so much for this incredibly NECESSARY tool! I had tried everything and couldn’t get Malwarebytes’ Anti-Malware to load and Norton/McAfee/Kaspersky/Ad-Aware/SuperAnti-Spyware did not detect the malware on my machine AT ALL even though it was OBVIOUS something was amiss (security websites blocked/pop-ups galore/slow computer etc.).

    I booted in safe-mode with networking and used rkill and then installed Malwarebytes’ Anti-
    Malware and voila it worked and FOUND the nasty critter causing all the problems and removed them.

    Machine works like a champ now!

    *phew*

  • Paul says:

    Is Lawrence still watching this thread? I hope so.

    rKill has a flaw that really reduces its usefulness to me. I do a ton of remote support using a custom VNC tool. When I run rKill on a user’s PC, it sees the winvnc.exe file as spyware and kills it, dropping my connection.

    If I simply re-initiate the connection, should rKill let me come back in? (Preferably, rKill would simply ignore winvnc.exe, though)

  • Martin says:

    I had the “Antivirus Soft” virus and seemed to (I’ve been running now for a couple hours and it seems to be fine again) have taken care of the program this way:

    Simply do a “system restore” after having booted up in “Safe Mode” (had to use Safe Mode becuase the “Antivirus Soft” wouldn’t allow me to access my “System Restore” in regular mode).

    Hopefully the virus doesn’t come back. I post this message because doing a “System Restore” is much easier and faster than downloading and trying to use “rkill” (“rkill” didn’t work for me).

    Does anyone know of a reason why it is NOT a good idea to try and get rid of the “Antivirus Soft” by simply doing a System Restore? Please reply if so….

    Thanks!

  • Matt says:

    <blockquote

    I had the “Antivirus Soft” virus and seemed to (I’ve been running now for a couple hours and it seems to be fine again) have taken care of the program this way:

    Simply do a “system restore” after having booted up in “Safe Mode” (had to use Safe Mode becuase the “Antivirus Soft” wouldn’t allow me to access my “System Restore” in regular mode).

    Hopefully the virus doesn’t come back. I post this message because doing a “System Restore” is much easier and faster than downloading and trying to use “rkill” (”rkill” didn’t work for me).

    Does anyone know of a reason why it is NOT a good idea to try and get rid of the “Antivirus Soft” by simply doing a System Restore? Please reply if so….

    Thanks!

    System Restore works by attempting to “undo” changed to the operating system.

    For example, if you install a program which causes the system to crash, System Restore and roll back to a time prior to that installation. This only works for programs which properly register with the operating system.

    While unlikely, a system restore may be able to slow down a virus’ progression by changing some installations or registries that it modified, but it most certainly will not remove the infection. Whatever files caused the initial infection are still there since System Restore does not change or alter files in any way.

    If your system is in a usable state, I suggest running a full Malwarebytes scan as soon as possible.

  • Hi Paul,

    Sorry for the delay in getting back to you. Where in winvnc.exe running from? Is it from a userprofile? If so, run it from a different folder as processes running from a userprofile are terminated.

  • Ron Abe says:

    Will it kill the nasty, netsky virus?

  • Dolphbabe says:

    Firstly, Lawrence, great work! I have now sucessfully used ‘rkill’ twice on two separate computers. It stopped the security malware and enabled me to run ‘malwarebytes’ to get rid of it. So far I haven’t found any other tools as good as this. Keep up the good work!

  • richard though says:

    hi,

    Lawrence Abrams
    BleepingComputer.com

    so you are also a creator of combofix? ok its a nice software should i say better than the other product but what happened why your site is down. Maybe im off topic here but just for a curiousity. How come that there are reports that after running the latest versions some computers crashes and could not get back to normal operation. For me luckily i manage to recover it without formating i dont know why it was happened anyway ive just download Rkill and give it a try thanks for this

  • Luis From Argentina says:

    Hola gente, me sugirieron Rkill para sacar el security central que no paraba de molestar y no me dejaba usar ningun programa, en unos segundos dejo de joder el security central y lo saque.

    Aprovecho que por aca pasa el autor para decirle Thanks you very much!

  • I am the creator of Rkill, but not Combofix. There was a bug in combofix a while back that could affect computers, but not for quite a while.

    It wont go after netsky.

  • Michael Brinson says:

    You’re freaking awesome Lawrence. Thank you so much for creating such a valuable tool and making it available the way you have. Just can’t thank you enough. :)

  • BMoses says:

    Lawrence, first and foremost, this is a wonderful tool that has gotten me out of a lot of tight spots. I work with a group of people who troubleshoot for a private company that hosts computers across the US. When I found your tool, I gave it a try via remote assistance. It was amazing to watch it work. Since then, my co-workers have adopted your tool as a main step to removing malware infections. Many of us have used this tool without hesitation on our own and on friends’ computers. Many many thanks for this… it has saved lots of headaches in our line of work.

    My question: Does rkill have any plans to check for updates when running? If not, is there a link that will always offer the latest version of rkill?

  • JustinE says:

    Ok, I finnally got all of the rkill files downloaded thanks to the poster named Jeff. For some reason none of the files would download for me untill I used ReGet to download them. Now, the problem I am running into is that rKill does it’s job, but when I install malware, it starts up and the virus imediately terminates it and deletes/moves malware. I cannot run a scan in order to remove the virus. Does anyone have any suggestions?

  • The latest version of rkill can always be found at http://download.bleepingcomputer.com/grinler/rkill.exe

    I have toyed with updates via the Internet and will see what I can do for the future. No promises though.

    Justin, when you say malware? What exactly are you referring to?

  • John Gleaton says:

    Thanks Lawrence, I have used your RKILL on 7 pc’s on my work network so far. is there any way to tell how these virus are spreading? should I delete all network shares that I can?

  • Tim says:

    Downloads keep erroring out. Even with ReGet. Any other way to get this app? Dealing with another machine with Antivirus Soft.

  • eileen says:

    I tried system restore but even that is asking me what program I want to use to open the file? Which version of rkill to I try? .exe? .com? .scr? or .pif?

  • eileen says:

    even the rkill is asking what program I want to use to open the file? What do I do?

  • bizzy says:

    The RKill program keeps asking “what program to use to run it?” It happens with EVERY extension you’ve supplied.

    How do I get around this?

    Thank You!!!!!!!!!!!!!!!!

  • tyler says:

    I’m having problem running this myself, so I’m not sure if it rules as you say. Like others have mentioned. I’m having a problem getting rkill to run because my pc says it doesn’t know which program to run the pev.rkexe.file through no matter which of the 4 links I choose.

    Does anyone know the solution to this problem, because I see I’m not the only one with it.

  • dale says:

    i tried every site where i could get the rkill program and i get redirected
    could someone send it to my email pls
    nightrider1041@hotmail.com

  • Darren says:

    Dear Mr. Abrams.
    I installed you Rkill.exe on my computer and it did as I had hoped and allowed me to scan with malwarebytes. My issue now is that every time I try to open a program on my machine, It prompts me with a “run As’ menu asking me to sign in under administrator with a password. This has become more annoying than the Malware that I originally had please help me get rid of this.
    Darren S Smith

  • roadkill42 says:

    Had a malware that was killing malwarebytes, so I ran rkill.com several times. It did create a log file, but it did NOT stop the malware. I ahd to go to Microsoft and get their malware removal tool. It did cleanup some things, but I didn’t have time to test the results completely.
    Also, malwarebytes would not even try to run in safe mode: gave an error message that it could not install in safe more. Don’t know why.

    OS: XP SP3
    Malwarebytes: latest download (1.44)
    Rkill: latest download

  • Darren,

    Download and double-click on this registry file:

    http://download.bleepingcomputer.com/reg/FixExe.reg

    When it asks if you would like to merge the data, allow it to do so. Let us know if that fixes your issue.

  • Darren says:

    Mr. Abrams,
    I Did as you asked and it never asked if I would like to merge the data. It did however come up and say my registry has been successfully changed. I am still however stiff experiencing my original problem. I really appreciate your help.
    Darren

  • Tim says:

    Any update on the rkill.* download links? I’m still getting “IE cannot open page” errors on each one.

  • GMU Tech says:

    Thanks so much for the R Kill program. I was just about ready to format the system when I found you very useful tool! It goes in the tool kit here and I am telling all tech here at the university about it.

  • Tim says:

    GMU, where did you get rkill? I’ve been trying to download for 2 weeks from those links. Have a workstation infected with Antivirus XP 2010 that won’t allow MalwareBytes to run. AV.EXE keeps restarting. Is there a setting with IE that is keeping me from getting to the site?

  • K says:

    I need help.. my computer blocks all of these it iwll not let me find any of them on my computer and when I try to save it it wont let me

  • Darren says:

    Mr Abrams. Please help me fix my issue. I haven’t heard back since my reply.

  • For those who can’t run programs after running Rkill, yor removing av.exe, you must have been infected with the av.exe rogue. Download the following reg file and save it to your desktop:

    http://download.bleepingcomputer.com/reg/FixAV2.reg

    Then double-click on the reg file and allow the data to merge. You should now be able to run executables again.

  • Amanda says:

    Thanks L.A! You and you programs are godsends to the pc world!!

  • DocLazy says:

    Dear Mr. Abrams,

    damn, this malware named Paladin Antivirus just stops every try to download it from bleepingcomputer.com. The site just won’t open.

    Is there any other place, where I can download rkill?

    Please help. I’m desperate to find a way since two weeks.

    Thank you very much

    Lazy

  • JacekW says:

    Hi

    I just want to said that rkill tool and Malwarebytes’ works every-time. There usfull tools for any spywere.
    thx

  • Michele says:

    I have used the rkill along with the Malwaerbytes anti-malware to try and rid my comp of the Antrivirus Soft bs that keeps popping up on my computer. I have run both over and over via the safe mode. I have tried all 4 versions of the rkill – and they all come on for 3 seconds top and then go to the log. It shows nothing being “killed” on the log. I have run the Malwaerbytes and the very first time it found a trojan-dropper but sense then has found nothing. Yet I’m still getting the pop ups from antivirus soft once I start up in normal mode. AGGGHHH. Is the rkill working if its up for that short of a time? I’m at a loss. I’m far from a computer guru…please advise

  • Braden says:

    Rkill totally worked on the first try! It got rid of antivirus soft when every other freeware program I tried kept missing it.

    Awesome program totally kick ass and 5 stars to the creators!!!!!!!!

  • Bill says:

    Not sure if this is any help to anyone but I ran msconfig from “start, run” on my xp machine and disabled lkmqsftav on the startup tab and rebooted and then had a bit more flexibility in performing clean up tasks.

  • Hani Dirani says:

    I am creating a virus removal utility and i was wondering is there a way to run rkill silently without bring up a log file?

  • Deispring says:

    I would just like to thank Lawrence Abrams for this nifty little program. I found it while trying to find a fix for the Security Tools 2009 Virus, and for the longest time I could not find a way to fix it, even when running programs that said they fixed ST2009 Specifically.
    Then I found a forum that said to run Rkill.exe 1st, then run the others. I did, and what do you know, it worked perfectly.
    Granted, there was not much info on this little program back then, but People, Please!!! IT’S A FREE PROGRAM THAT KILLS MALICIOUS PROCESSES, NOTHING MORE or LESS. It’s the Pliers you use to straighten the nail before using the hammer to pull the nail out.
    As for the little black screen, I was lucky in that the forum I found for Rkill warned me ahead of time, so I had no worries there. Still, I can honestly say that this program will do just what you need. And Hey, if it kills an extra process or 2 that you didn’t intend it to kill, guess what, You’re fixing your computer right now, so let it kill the “other” processes and run your Antimalware programs afterwards.
    And for the record, the programs I ran to clean that system, and it is now clean, are Combofix, Malwarebyte, AdAware, Spybot, and Comodo Security Suite. I downloaded Rkill directly, and the rest on a clean computer, put them on a flash drive, and booted in Safe Mode w/ Network, and Installed / ran them in the order you see above. I did not run IE or Firefox ONCE during this scenario, and Restarted after each program finished, again rebooting directly into safe mode w/ Networking. It took about 5 1/2 hours for everything to work it’s way through, plus 2 1/2 more hours for Comodo, but when I finished and booted into normal mode, my computer was clean of everything except the Primawega Addware, which is a whole other story. All in all, the computer is running perfectly, and NONE of these programs worked or installed right until I ran Rkill.
    So again, Thanks to Lawrence for a kick-but program, and Yes, I’d love to see a full-featured version some time down the line, but as it is, this program works wonders.
    Cheers,
    Deispring

  • Leah says:

    I have used this rkill program to help remove the Security Tool virus. It works great!!

  • This tool looks to be exactly what I need on a daily basis. Thank you. I have had luck previously renaming MBAM.exe to M.exe. Then the malware will not stop it. Thanks!

  • 778877 says:

    to Lawrence Abrams. thank you very much for the rkill.my laptop got infect and thanks to u and malwarebytes software my laptop…working great again.save me $$$ and time.thanks again Abrahams

  • Kaolinchemist says:

    Lawrence, this looks to be a godsend. I am waiting on a new power supply before I can get my infected (Antimalware 2010) desktop (xp Pro SP3) running so I can try out rkill. I am trying to educate myself on the step by step process I will need, is this correct?

    1) downloaded all rkill (.com,.pif,etc..) to flash drive

    2) Downloaded latest Malwarebytes to flash drive

    3) Boot in Safe Mode With networking

    4) copy files from Flash drive to desktop

    5) run one of the rkills (may have to try and run it many times if malware closes it)

    6) run Malwarebytes AM

    Thanks in advance, if anyone has a step by step with scrrenshots for newbies like myself it would be a HUGE help.

    I just want to thank Lawrence for all his help in fighting against this malware crap.

    I have learned a lesson, from now on I will create a limited user account that I will use when surfing the net from now on.

  • Sean Nissanka says:

    Lawrence, I have no way of expressing my gratitude for this fix! its a GREAT little program that does wonders. I’ve been in IT for over 15 years. A few comments earlier were based on being unable to dowload from your site. It’s not a site problem, just the malware preventing such downloads. It downloads perfectly from a non-infected pc :)

    I wasted over 5 hours on an infected pc in trying to clean out infections, with no success. After using rkill, job was done in 10 minutes.

    Kaolinchemist has got it right by saving to USB and then rebooting in SM with Networking. But, this too sometimes goes wrong :( as the malware boots up even in SM and infects the exe’s in the USB.

    Once again, thanks a million Lawrence for this nifty litle gadget :)

    Sean – Sri Lanka

  • Raj Singh says:

    Hey Lawrence,

    I am a layman and just want to express my gratitude that you created such a simple thing that even a non-technical person like me could use and remove the Security Tool.

    Just want to let you know, may be it is coincidence, the Security Tool popped right after my subscription for Norton Anti-virus expired. I felt I was being forced to purchase it again. I will buy Malwarebytes now.

    Thanks a lot, again!

    Raj

  • Chris says:

    To Sean Nissanka
    A tip for you and other members, If you save these removal tools to a USB Pendrive, get one with the write protect switch on it and then download & save removal tools onto stick on a non infected PC. Once you have done that write protect the USB Drive so that the virus can’t infect / damage the removal tools.

    As an IT Tech I have had a lot of experience in removing Malware from PC’s and I have found this method to be the easiest.

  • Ruben says:

    I really have to say, that this rkill tool is possibly, one of the greatest tools I have ever used. I could not run any applications on my computer until this tool was used. It saved my job. So just wanted to say thank you.

  • antonio says:

    As a relative novice, I have been plagued by similar Malaware which is taking over my computer with all sorts of false virus warnings. I have taken to booting up in safe mode and have followed all the steps as detailed in this log.
    Unfortunately whenever I run Rkill (exe or com) it seems to take only 1-2 seconds and in the white log box (notepad) which appears after the black box the only program which appears to have been killed are the following

    windows/systems32/dllhost.exe
    users/psi,desktop/rkill.exe

    when I then run Malawarebytes full scan I get no hits related to infection and the virus alerts are still present. Is the problem that Rkill is getting shut down too fast?
    Any suggestions are appreciated thanks!
    antonio

  • Kaolinchemist says:

    Lawrence, THANK YOU I booted in safe mode with networking, and up popped my “XP Antimalware 2010″ rogue infection and I hit rkill.com on my desktop and on the FIRST TRY it killed av.exe after that I was able to install MBAM.exe and update it and then perform a quick scan. It found and removed several files. I then turned off system restore and turned back on and then rebooted again into Safe Mode w/ Networking. The rogue virus did not pop up and I ran a FULL MBAM scan and it found nothing. I then used CCleaner to clean up my temporary files and I am FREE of that crap so THANK YOU SOOOO MUCH for your kill.exe app. You are a good man.

  • Wayne says:

    This utility works exactly as advertised. Perfect supplement to an engineers “bag of tricks”.

    Highly recommended … great job Lawrence!!

  • Amy says:

    I have used this tool several times and it has worked wonderfully for me! Thanks for the tool!!

  • Patrick says:

    Thanks for rkill.com. I used it about a year ago on a friend’s system, and it was fun! Plus, afte that being able to run the other type killer programs….

    Nite before last, I got that same trojan, ANTIVIRUS-XP somehow, could not access the internet and could not even run Task Manager.

    Well, I managed to fix my own sysyem a bit faster than my friend’s, but want to run the latest rkill., so thanks

  • BOB says:

    DONT USE RKILL .. LEFT LOG :

    his log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as ******* on 23/03/2010 at 0:13:40.

    Processes terminated by Rkill or while it was running:

    C:\Windows\System32\rundll32.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Users\*******\Desktop\Downloads\rkill.exe

    Rkill completed on 23/03/2010 at 0:13:43.

  • Ray says:

    BOB:

    What’s your point?

  • Michael says:

    I have used rkill.com already to remove malware that would have made it impossible otherwise. I would have reloaded everything. Using this tool, I was able to save all documents, favorites (Bookmarks), and pictures.

    Not bad for a free tool!

    Mike

  • Judy says:

    OH MY GOD. this rkil saved my ass. stupid vista window security 2010 was bombarding my comp with DANGER HACKING HI JACKER shit. and i dl r kill and it just went away. <3

  • Tom says:

    rkill just saved me a lot of time. Had some Rogue Anti-Virus and rkill stopped and told me exactly where the malicious executable was. I ran Malwarebytes before removing the file manually and it wasn’t even found.

  • Noah says:

    Didn’t feel like reading ALL of the comments on this, but from the comments I did read I wanted to recommend one strategy that I found works quite consistently, and I probably disinfect 10-20 computers a week.

    1) Download Process Explorer, RKILL.COM and the Malwarebytes installer.
    2) Copy RKILL and Process Explorer wherever you want, then create a shortcut to them in the Startup folder of the start menu.
    3) Restart computer.
    4) Upon restart, RKILL runs 95% of the time even when it was blocked by malware if you tried to run it immediately after downloading.
    5) Even when it doesn’t, Process Explorer usually successfully opens.
    6) Go through the processes in Process Explorer and shut down anything non-essential.
    7) Install, update and do a full scan with Malwarebytes, removing any found items after inspecting for false positives.
    8) Restart, then do another full scan with Malwarebytes.
    9) Tada! (if this helps you send beer/coffee my way)

  • Noah says:

    P.S. I posted the above because people were recommending to “just keep running it over and over again until it takes” if it got blocked by malware, which seems less than efficient IMHO.

  • Sheron says:

    Thank You for all your help I will certainly give it a try as Security Tool infected my new Win 7 tower.

  • fk says:

    danke!!! einfach und erfolgreich!!!

  • Jayme says:

    My brother told me about this program and he works on pcs for a living. He also uses malwarebytes. I don’t know if anyone else has had issues or not with Google Chrome, but I believe it’s lack of security caused a TON of viruses, trojans, worms and “unknown viruses” to invade my pc last night. It’s a mess. I am going to try rkill and I am going back to firefox.

  • Unfortunately due to time constraints I will not be able to support Rkill outside of BC. I just do not have enough time to monitor multiple topics at multiple sites, especially when some of them do not have new reply notifications.

    So I created a new topic at BC regarding rkill and how to use it.

    The topic can be found here:

    http://www.bleepingcomputer.com/forums/topic308364.html

    Please note that this topic should not be used to ask for help removing specific malware.

  • Jason says:

    Mr. Abrams, Thanks for all your work.

    Ok, here is a stupid question for you. Do you need to Rkill in safe mode, Or can you just run it in windows? I ran it in windows and it stoped the pop-ups. but now it just says:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as Admin on 04/09/2010 at 10:06:35.

    Processes terminated by Rkill or while it was running:

    C:\WINDOWS\system32\imapi.exe
    C:\Documents and Settings\Admin\Desktop\RKILL\rkill.exe

    Rkill completed on 04/09/2010 at 10:06:42.

    Isn’t this doing what it’s supossed to do?

    I’ll then run several virus programs(avast, malware, avg, adaware, ccleaner…), and remove a couple viruses each.
    After a couple of days to a week, I will get the virus back.

  • admin says:

    As per the creators request, if you need any Rkill support, please visit this thread:
    http://www.bleepingcomputer.com/forums/topic308364.html