Solved

Rkill issues

Posted on 2013-10-29
12
3,001 Views
Last Modified: 2013-11-22
When I ran Rkill on a clients computer yesterday I let it run for almost 45 mins and it still wasn't finished.  This is a first for me.

This is a Windows XP machine so I know he doesn't want to spend much on having me clean it up.  In looking at the beginning of the scan what does this mean:

Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
Possibly Patched Files - he has been having issues with his svchost.exe running extreamly high on memory - what are patched files?
Missing Digital Signatures - which continued to populate and never finished...pages of them - what causes these?

Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/28/2013 01:35:55 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]

1 proccess terminated!

Possibly Patched Files.

 * C:\WINDOWS\system32\services.exe
 * C:\WINDOWS\system32\lsass.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\spoolsv.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\wbem\wmiprvse.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\ctfmon.exe

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * C:\WINDOWS\System32\clipsrv.exe : 33,280 : 04/13/2008 06:12 PM : 34cbe729f38138217f9c80212a2a0c82 [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\clipsrv.exe : 33,280 : 08/04/2004 01:56 AM : c8dec22c4137d7a90f8bdf41ca4b82ae [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\clipsrv.exe : 33,280 : 04/13/2008 06:12 PM : 34cbe729f38138217f9c80212a2a0c82 [Pos Repl]

 * C:\WINDOWS\System32\comctl32.dll : 617,472 : 08/23/2010 10:12 AM : 93afb83fbc1f9443cac722fca63d73bf [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\comctl32.dll : 617,472 : 08/25/2006 09:45 AM : b0124cb21d28b1c9f678b566b6b57d92 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\comctl32.dll : 617,472 : 04/13/2008 06:11 PM : 06f247492bc786ce5c24a23e178c711a [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\comctl32.dll : 617,472 : 08/23/2010 10:12 AM : 93afb83fbc1f9443cac722fca63d73bf [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll : 921,088 : 06/25/2002 03:36 PM : aef3d788dbf40c7c4d204ea45eb0c505 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll : 1,050,624 : 08/04/2004 01:57 AM : 5af68a5e44734a082442668e9c787743 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll : 1,054,208 : 08/25/2006 09:45 AM : c4e80875c1cf1222fc5efd0314ae5c01 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll : 1,054,208 : 04/13/2008 06:12 PM : bd38d1ebe24a46bd3eda059560afba12 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll : 1,054,208 : 08/23/2010 10:12 AM : 736b12b725aeb2b07f0241a9f680cb10 [Pos Repl]

 * C:\WINDOWS\System32\comres.dll : 792,064 : 04/13/2008 06:11 PM : 1280a158c722fa95a80fb7aebe78fa7d [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\comres.dll : 792,064 : 08/04/2004 01:56 AM : 6728270cb7dbb776ed086f5ac4c82310 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\comres.dll : 792,064 : 04/13/2008 06:11 PM : 1280a158c722fa95a80fb7aebe78fa7d [Pos Repl]

This continues for pages.

I have run Hitman Pro (found only cookies) MBAM (found 2 Trojan.Agent.IE), SAS (found cookies)  and Avast (found Win32:Malware.gen) to start.  I am working remotely and will work with him to remove his boot time password since I can not get back in when I need to reboot his machine.

Your feel for what is going on with my bullet questions will be appreciated.  This is what Avast says to do to handle the Win32:Malware.gen - http://forum.avast.com/index.php?topic=123900.0 which looks pretty standard.

Thanks a million for your input!
Mags

PS  am I selecting the correct Topics for this type of issue?
0
Comment
Question by:MagsMcKinley14
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
12 Comments
 
LVL 95

Expert Comment

by:John Hurst
ID: 39610454
If your client got a deeply embedded root kit virus, you may need to rebuild it.

I know he doesn't want to spend much on having me clean it up

So if it badly corrupted (looks like and dead easy to do) what magic does your client propose?

.... Thinkpads_User
0
 
LVL 47

Expert Comment

by:David
ID: 39610486
Don't sweat it. You probably had some zombie processes.  No matter what O/S you run, you can't always kill all apps.  

You very well might be over thinking the issue.   Do a fresh boot and see if the rkill works.  If it does, chalk it up to experience and move on.
0
 
LVL 18

Expert Comment

by:web_tracker
ID: 39610731
I use rkill on a regular basis to kill malware and I have never seen it run longer than 5 minutes unless the application froze up or something killed it. Even on a very slow computer it does not take long to run. I would reboot and try again, as dlerthe states above.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:MagsMcKinley14
ID: 39610747
Thinkpads_User I want to assist him with having a computer he can use until he is able to replace it in a month or two...That being said I will finish using scans to enable him to at least use his computer.  He has everything backed up.

dlethe and web_tracker I too have used rkill extensively and I have never seen it run this way.  5 minutes max I agree.  I'll attach the first and second log and I have rebooted - it would have kept running but each time I stopped it to start scans.  Should I let it continue to run until it finishes???

My question in regards to rkill are simply to help this situation and to learn -

So in looking at the beginning of the scan what does the following mean:

Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
Possibly Patched Files - he has been having issues with his svchost.exe running extreamly high on memory - what are patched files?
Missing Digital Signatures - which continued to populate and never finished...pages of them - what causes these?

Thank you for your assistance,
Mags
Rkill.txt
Rkill--2.txt
0
 
LVL 47

Accepted Solution

by:
David earned 400 total points
ID: 39610773
Process terminated means it isn't running anymore but was when app started.
patched files are ones that could have been tampered with . these should be considered suspect files or possible infections


Digital signature is effectively an electronic watermark that is tamperproof.   If it is an adobe file that has the adobe signature than it is 100% safe.

But not everything has a digital signature.  You're talking $300 - $500 annual cost to a developer to get somebody like verisign to authenticate and validate one, and then the developer has to go through extra work to embed the signature in the file.

A missing signature is not necessarily bad, it is bad if the signature in the file does not match the vendor. That would be extremely rare and indication the file has been compromised.
0
 
LVL 18

Assisted Solution

by:web_tracker
web_tracker earned 100 total points
ID: 39610784
try running the different versions of the software such as rkill.scr, iexplorer.exe  , etc.  
Maybe try using roguekiller then run rkill. http://www.bleepingcomputer.com/download/roguekiller/dl/121/
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39662242
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 47

Expert Comment

by:David
ID: 39662243
The question(s), what are the meanings of the items below:
*Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
* what are patched files?
* Missing Digital Signatures

Were answered in #39610773

Author Web_tracker provided additional info in #39610784

There is nothing else to confirm because these answered the questions.
Points should be split between authors.
0
 

Author Comment

by:MagsMcKinley14
ID: 39664087
Hey Guys...I really apologize for not getting back and awarding points.  I have redirected your emails to go into my inbox...I wasn't getting them there and didn't see your reminders.  I am sooooo sorry!!!

It appears points were awarded.  If not please reopen so I may award them.
Thanks,
Mags
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39664098
The question is still open if you wish to award points.
... Thinkpads_User
0
 

Author Closing Comment

by:MagsMcKinley14
ID: 39664536
The computer is running fine...he will be replacing it soon.  Thanks for your assistance, especially dlethe who specifically answered my questions.
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question