Solved

Rkill issues

Posted on 2013-10-29
12
2,744 Views
Last Modified: 2013-11-22
When I ran Rkill on a clients computer yesterday I let it run for almost 45 mins and it still wasn't finished.  This is a first for me.

This is a Windows XP machine so I know he doesn't want to spend much on having me clean it up.  In looking at the beginning of the scan what does this mean:

Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
Possibly Patched Files - he has been having issues with his svchost.exe running extreamly high on memory - what are patched files?
Missing Digital Signatures - which continued to populate and never finished...pages of them - what causes these?

Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/28/2013 01:35:55 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]

1 proccess terminated!

Possibly Patched Files.

 * C:\WINDOWS\system32\services.exe
 * C:\WINDOWS\system32\lsass.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\spoolsv.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\wbem\wmiprvse.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\ctfmon.exe

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * C:\WINDOWS\System32\clipsrv.exe : 33,280 : 04/13/2008 06:12 PM : 34cbe729f38138217f9c80212a2a0c82 [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\clipsrv.exe : 33,280 : 08/04/2004 01:56 AM : c8dec22c4137d7a90f8bdf41ca4b82ae [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\clipsrv.exe : 33,280 : 04/13/2008 06:12 PM : 34cbe729f38138217f9c80212a2a0c82 [Pos Repl]

 * C:\WINDOWS\System32\comctl32.dll : 617,472 : 08/23/2010 10:12 AM : 93afb83fbc1f9443cac722fca63d73bf [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\comctl32.dll : 617,472 : 08/25/2006 09:45 AM : b0124cb21d28b1c9f678b566b6b57d92 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\comctl32.dll : 617,472 : 04/13/2008 06:11 PM : 06f247492bc786ce5c24a23e178c711a [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\comctl32.dll : 617,472 : 08/23/2010 10:12 AM : 93afb83fbc1f9443cac722fca63d73bf [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll : 921,088 : 06/25/2002 03:36 PM : aef3d788dbf40c7c4d204ea45eb0c505 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll : 1,050,624 : 08/04/2004 01:57 AM : 5af68a5e44734a082442668e9c787743 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll : 1,054,208 : 08/25/2006 09:45 AM : c4e80875c1cf1222fc5efd0314ae5c01 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll : 1,054,208 : 04/13/2008 06:12 PM : bd38d1ebe24a46bd3eda059560afba12 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll : 1,054,208 : 08/23/2010 10:12 AM : 736b12b725aeb2b07f0241a9f680cb10 [Pos Repl]

 * C:\WINDOWS\System32\comres.dll : 792,064 : 04/13/2008 06:11 PM : 1280a158c722fa95a80fb7aebe78fa7d [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\comres.dll : 792,064 : 08/04/2004 01:56 AM : 6728270cb7dbb776ed086f5ac4c82310 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\comres.dll : 792,064 : 04/13/2008 06:11 PM : 1280a158c722fa95a80fb7aebe78fa7d [Pos Repl]

This continues for pages.

I have run Hitman Pro (found only cookies) MBAM (found 2 Trojan.Agent.IE), SAS (found cookies)  and Avast (found Win32:Malware.gen) to start.  I am working remotely and will work with him to remove his boot time password since I can not get back in when I need to reboot his machine.

Your feel for what is going on with my bullet questions will be appreciated.  This is what Avast says to do to handle the Win32:Malware.gen - http://forum.avast.com/index.php?topic=123900.0 which looks pretty standard.

Thanks a million for your input!
Mags

PS  am I selecting the correct Topics for this type of issue?
0
Comment
Question by:MagsMcKinley14
  • 3
  • 3
  • 2
  • +2
12 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 39610454
If your client got a deeply embedded root kit virus, you may need to rebuild it.

I know he doesn't want to spend much on having me clean it up

So if it badly corrupted (looks like and dead easy to do) what magic does your client propose?

.... Thinkpads_User
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39610486
Don't sweat it. You probably had some zombie processes.  No matter what O/S you run, you can't always kill all apps.  

You very well might be over thinking the issue.   Do a fresh boot and see if the rkill works.  If it does, chalk it up to experience and move on.
0
 
LVL 18

Expert Comment

by:web_tracker
ID: 39610731
I use rkill on a regular basis to kill malware and I have never seen it run longer than 5 minutes unless the application froze up or something killed it. Even on a very slow computer it does not take long to run. I would reboot and try again, as dlerthe states above.
0
 

Author Comment

by:MagsMcKinley14
ID: 39610747
Thinkpads_User I want to assist him with having a computer he can use until he is able to replace it in a month or two...That being said I will finish using scans to enable him to at least use his computer.  He has everything backed up.

dlethe and web_tracker I too have used rkill extensively and I have never seen it run this way.  5 minutes max I agree.  I'll attach the first and second log and I have rebooted - it would have kept running but each time I stopped it to start scans.  Should I let it continue to run until it finishes???

My question in regards to rkill are simply to help this situation and to learn -

So in looking at the beginning of the scan what does the following mean:

Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
Possibly Patched Files - he has been having issues with his svchost.exe running extreamly high on memory - what are patched files?
Missing Digital Signatures - which continued to populate and never finished...pages of them - what causes these?

Thank you for your assistance,
Mags
Rkill.txt
Rkill--2.txt
0
 
LVL 47

Accepted Solution

by:
dlethe earned 400 total points
ID: 39610773
Process terminated means it isn't running anymore but was when app started.
patched files are ones that could have been tampered with . these should be considered suspect files or possible infections


Digital signature is effectively an electronic watermark that is tamperproof.   If it is an adobe file that has the adobe signature than it is 100% safe.

But not everything has a digital signature.  You're talking $300 - $500 annual cost to a developer to get somebody like verisign to authenticate and validate one, and then the developer has to go through extra work to embed the signature in the file.

A missing signature is not necessarily bad, it is bad if the signature in the file does not match the vendor. That would be extremely rare and indication the file has been compromised.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 18

Assisted Solution

by:web_tracker
web_tracker earned 100 total points
ID: 39610784
try running the different versions of the software such as rkill.scr, iexplorer.exe  , etc.  
Maybe try using roguekiller then run rkill. http://www.bleepingcomputer.com/download/roguekiller/dl/121/
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39662242
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39662243
The question(s), what are the meanings of the items below:
*Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
* what are patched files?
* Missing Digital Signatures

Were answered in #39610773

Author Web_tracker provided additional info in #39610784

There is nothing else to confirm because these answered the questions.
Points should be split between authors.
0
 

Author Comment

by:MagsMcKinley14
ID: 39664087
Hey Guys...I really apologize for not getting back and awarding points.  I have redirected your emails to go into my inbox...I wasn't getting them there and didn't see your reminders.  I am sooooo sorry!!!

It appears points were awarded.  If not please reopen so I may award them.
Thanks,
Mags
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39664098
The question is still open if you wish to award points.
... Thinkpads_User
0
 

Author Closing Comment

by:MagsMcKinley14
ID: 39664536
The computer is running fine...he will be replacing it soon.  Thanks for your assistance, especially dlethe who specifically answered my questions.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now