The malware world is changing. It’s getting smarter.
In fact, some infections will detect that you have launched an anti-malware tool such as MalwareBytes and close it down as soon as you open it, which makes your job much harder. This is the exact situation Rkill is designed for.
Rkill is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools. Rkill is made by a Microsoft MVP “Lawrence Abrams” and is available in 4 different extensions. An .EXE, .COM, .SCR and a .PIF file.
The reason why Rkill comes in 4 different versions is because some malware will block .EXE files in an attempt to prevent you from running other malware removal tools, so this gets around that problem.
I tested this tool on a virtual machine which I had infected with a fake antivirus and Rkill killed the malicious processes without any problems. Of course, I then had to delete the malicious files manually as this is not a malware removal tool, but a malware process killing tool. It just stops the malware from running right now, allowing you work your computer technician magic.
Edit: Looks like we are lucky enough to have the creator of this, Lawrence Abrams with us to explain what Rkill does in greater detail.
First, the program was designed for the use in my malware removal guides so that I can have a tool that is easy to use and kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that we can use the normal anti-malware program to their job.
So in summary rkill just kills processes, imports a reg file that restores HKEY_CLASSES_ROOT\exefile\shell\open\command, removes policies that disable regedit, taskmgr, hides your desktop icons, etc, and removes a key used by a malware protection process. Then it kills explorer so it will restart and enable some of the reg changes. Other than what is listed above, it does nothing else. It does not create a report, because this tool was not made to be fancy but made made to help novice users remove malware through my guides. Maybe in the future I will include a report of what it has killed. It is not a priority though right now.
His comment number is #21 for the full information.
Additionally, due to time restraints the creator of it cannot support RKill on any site other than his site BleepingComputer. Its just too difficult to support multiple topics on multiple sites at the same time. So, he has created a single forum thread on his site for supporting RKill. If you need any Rkill support, please visit this thread. Comments will be closed here on Technibble.
rkill.exe – Download from BleepingComputer.com – 257kb
Special thanks to the Technibble forum member Galdorf for recommending this one.