Auto start rkill

[HFultzjr]

Ok, I have a question.

I know there are other ways around these issues....safe mode, safe mode with command prompt, offline scanning, D7, Boot Disks, etc., etc., and numerous other ways.

But suppose I would want to have rkill or similar file run at startup. Is there a way to have it run multiple times until it starts and before it's knocked out by the virus.

I'm not asking for solution to remove the virus, but just how to achieve the above, if possible.

 

[FoolishTech]

You could run any app at startup and probably before the malware executes (depending on the malware) if you add the app to the RunOnce reg key either offline or online and reboot... This will at least run the app before explorer.exe executes, and hopefully the malware depending on how it spawns.

If KillEmAll will suit your needs for just terminating the running malware's process, then you can hold down SHIFT while executing it and it will install itself as a system service with the auto-restart on failure flag set, so if malware terminates KillEmAll it will respawn instantly and try again. If that doesn't do the trick and kill the malware then you should reboot manually. The service will remain installed and KillEmAll will startup with the system and likely before the malware, terminating it as it starts. Once KillEmAll has been able to complete it's run, it will remove itself from the system services. That's the theory, anyway. Whether it works or not will greatly depend on the malware's method of spawning.

 

[glricht]

What about putting a link to the desired program inside your startup folder? Wouldn't that do what you're asking?

 

[Xander]

If he's working on it offline, it would be a lot easier to just drop the rkill executable into the Startup folder. Whether it works depends on what level the malware is starting. If it's running as a service, I'm not sure rkill would do much good but it might be worth a shot.

 

[FoolishTech]

The startup folder is the absolute LAST autorun location executed, RunOnce registry key being the first. If you dropped rkill into the startup folder it wouldn't even have a chance to launch as malware that could terminate it would already be running.

 

[Xander]

I know it's at the end of the list; my point was just that if you're considering dropping a shortcut in there, there's no reason not to just drop the executable itself.

What about adding something like this into D7's Offline tools? "Add ___ to RunOnce" for running on the next boot? Oooh - or add it in as a Shell Extension. I'd thought of that once before but never got around to trying to script it. Right-click, "run on next boot"

 

[FoolishTech]

I know it's at the end of the list; my point was just that if you're considering dropping a shortcut in there, there's no reason not to just drop the executable itself.

What about adding something like this into D7's Offline tools? "Add ___ to RunOnce" for running on the next boot? Oooh - or add it in as a Shell Extension. I'd thought of that once before but never got around to trying to script it. Right-click, "run on next boot"

That's actually one of the things in the back of my head for a while now too. I might try and squeeze that feature into a new version finally.

EDIT: Xander... it's ALREADY IN D7. right click > work with file > start with windows

but it needs an offline component... or a quick add component when malware doesn't let you do all that.

 

[Xander]

Gonna have to remember that. Countless times I've said to myself, "I have to remember to run that after I reboot." Usually I settle for moving a shortcut to the middle of my desktop.

 

[HFultzjr]

You could run any app at startup and probably before the malware executes (depending on the malware) if you add the app to the RunOnce reg key either offline or online and reboot... This will at least run the app before explorer.exe executes, and hopefully the malware depending on how it spawns.

If KillEmAll will suit your needs for just terminating the running malware's process, then you can hold down SHIFT while executing it and it will install itself as a system service with the auto-restart on failure flag set, so if malware terminates KillEmAll it will respawn instantly and try again. If that doesn't do the trick and kill the malware then you should reboot manually. The service will remain installed and KillEmAll will startup with the system and likely before the malware, terminating it as it starts. Once KillEmAll has been able to complete it's run, it will remove itself from the system services. That's the theory, anyway. Whether it works or not will greatly depend on the malware's method of spawning.

Nick,

Thanks for the tip on KillEmAll.

I wasn't aware of that capability.

Sounds like just what I'm looking for.

D7.....such a powerful tool that I still have a lot to learn about.

Probably the best return on ANYTHING I've bought......ever.

Thanks

 

[HFultzjr]

What about putting a link to the desired program inside your startup folder? Wouldn't that do what you're asking?

If he's working on it offline, it would be a lot easier to just drop the rkill executable into the Startup folder. Whether it works depends on what level the malware is starting. If it's running as a service, I'm not sure rkill would do much good but it might be worth a shot.

I have tried the startup folder suggestion with mixed results.

Thanks.

 

[HFultzjr]

I know it's at the end of the list; my point was just that if you're considering dropping a shortcut in there, there's no reason not to just drop the executable itself.

What about adding something like this into D7's Offline tools? "Add ___ to RunOnce" for running on the next boot? Oooh - or add it in as a Shell Extension. I'd thought of that once before but never got around to trying to script it. Right-click, "run on next boot"

Xander,

Great thinking, might be possible.

Nick.....feasible.....pretty please!

Thanks

 

[HFultzjr]

That's actually one of the things in the back of my head for a while now too. I might try and squeeze that feature into a new version finally.

EDIT: Xander... it's ALREADY IN D7. right click > work with file > start with windows

but it needs an offline component... or a quick add component when malware doesn't let you do all that.

Nick,

Offline component would be awesome!

Thanks

 

[HFultzjr]

That's actually one of the things in the back of my head for a while now too. I might try and squeeze that feature into a new version finally.

EDIT: Xander... it's ALREADY IN D7. right click > work with file > start with windows

but it needs an offline component... or a quick add component when malware doesn't let you do all that.

Nick,

I didn't even know this existed....don't know how I've been missing it.

Man, I need to find more time to just "play" D7. I'm sure I'm not using it to it's full potential. It amazes me!

"Shameless plug for D7.....it really is that great!"

 

[ComputerRepairTech]

I need to find more time to just "play" D7. I'm sure I'm not using it to it's full potential. It amazes me!

Nick is a very experienced technician, he clearly has many many years of experiencing fixing issues properly. I am fairly certain every single one of the scripts I had before purchasing D7 are already implemented in some fashion (note: im not saying hes using my scripts im just saying he already had all of the same ideas and much more than i did).

Sometimes I find myself doing things manually then I think to myself...wait a minute let me check D7 to see if hes thought of this one and a good amount of the time he has and I just didnt notice it. Even if Nick doesn't think of something other technicians provide suggestions to him too so he keeps adding to it.

 

[TimM]

The startup folder is the absolute LAST autorun location executed, RunOnce registry key being the first. If you dropped rkill into the startup folder it wouldn't even have a chance to launch as malware that could terminate it would already be running.

But if you add rkill to RunOnce isn't there a good chance that it will run, find nothing and then terminate before the malware launches?

 

[FoolishTech]

But if you add rkill to RunOnce isn't there a good chance that it will run, find nothing and then terminate before the malware launches?

I have no idea how RKill works I've never used in the real world, and only observed it running once, and I'll be honest with you, I have no idea what the hype is all about, or what the tool is actually FOR. I thought it was to find and terminate running malware, the kind that is hard to kill because it continually terminates your tools. But obviously not! It seems absolutely useless to me because it takes so incredibly long to try and identify malware AS malware before terminating the process, instead of taking the KillEmAll approach and letting God sort them out.

Though I would think that even if Rkill needed the malware to be running to find it, it could use every opportunity at a head start that it can get - e.g. RunOnce, else if the malware is running first then why on earth wouldn't the malware just terminate Rkill as it launched (nevermind the 1.5 years it takes to 'scan' running processes)?

It is true that if something is in RunOnce - Windows will wait until it terminates before loading the desktop. This could potentially cause Rkill (IF it relies on the malware actually running in order to 'find' it, AND the malware doesn't start until after explorer.exe) to completely miss it's mark, you are correct - if both of those circumstances are true.

However if you add the item to the RunOnce key by shelling it from a console window without waiting, then your app starts first and Windows (along with the malware) will continue to load. That should give Rkill enough of a head start before the malware launches.

This is also what I do with D7, but for very different reasons. (hint: UAC prompts don't trigger if an app requiring admin privileges is executed via RunOnce because it fires before explorer.exe, but UAC prompts DO fire in every other auto-start location!)

example RunOnce value:

cmd.exe /c start "" "drive:\full path\to\your.exe" /any /parameters /here

 

[Xander]

Nick, is that how KillZA runs on its reboot? As a RunOnce?

 

[FoolishTech]

Nick, is that how KillZA runs on its reboot? As a RunOnce?

Yep <--------------filler

 

[ComputerRepairTech]

I have no idea how RKill works I've never used in the real world, and only observed it running once, and I'll be honest with you, I have no idea what the hype is all about, or what the tool is actually FOR.

RKill is primarily used to restore file associations like .exe and terminate processes that may simply corrupt the file association again or other programs it mistakens for malware.

 

[FoolishTech]

RKill is primarily used to restore file associations like .exe and terminate processes that may simply corrupt the file association again or other programs it mistakens for malware.

LOL @ what I put in bold. why does it take a bloody hour to run then? I know I'm exaggerating, but hey, repair file associations should be done before you can bat an eye, and terminating ALL processes on the system possible (ala KEA) takes but a tiny fraction of the time I saw Rkill execute. I mean, I can manually clean a system faster than that... no dice. still have yet to see the worth of this app... I've had people request it in D7 (dunno why, they can do custom apps too ya know) but I never would add it because no one could actually tell me what it did for them. specifically.