[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3230
  • Last Modified:

Rkill issues

When I ran Rkill on a clients computer yesterday I let it run for almost 45 mins and it still wasn't finished.  This is a first for me.

This is a Windows XP machine so I know he doesn't want to spend much on having me clean it up.  In looking at the beginning of the scan what does this mean:

Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
Possibly Patched Files - he has been having issues with his svchost.exe running extreamly high on memory - what are patched files?
Missing Digital Signatures - which continued to populate and never finished...pages of them - what causes these?

Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/28/2013 01:35:55 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]

1 proccess terminated!

Possibly Patched Files.

 * C:\WINDOWS\system32\services.exe
 * C:\WINDOWS\system32\lsass.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\spoolsv.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\wbem\wmiprvse.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\ctfmon.exe

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * C:\WINDOWS\System32\clipsrv.exe : 33,280 : 04/13/2008 06:12 PM : 34cbe729f38138217f9c80212a2a0c82 [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\clipsrv.exe : 33,280 : 08/04/2004 01:56 AM : c8dec22c4137d7a90f8bdf41ca4b82ae [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\clipsrv.exe : 33,280 : 04/13/2008 06:12 PM : 34cbe729f38138217f9c80212a2a0c82 [Pos Repl]

 * C:\WINDOWS\System32\comctl32.dll : 617,472 : 08/23/2010 10:12 AM : 93afb83fbc1f9443cac722fca63d73bf [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\comctl32.dll : 617,472 : 08/25/2006 09:45 AM : b0124cb21d28b1c9f678b566b6b57d92 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\comctl32.dll : 617,472 : 04/13/2008 06:11 PM : 06f247492bc786ce5c24a23e178c711a [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\comctl32.dll : 617,472 : 08/23/2010 10:12 AM : 93afb83fbc1f9443cac722fca63d73bf [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll : 921,088 : 06/25/2002 03:36 PM : aef3d788dbf40c7c4d204ea45eb0c505 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll : 1,050,624 : 08/04/2004 01:57 AM : 5af68a5e44734a082442668e9c787743 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll : 1,054,208 : 08/25/2006 09:45 AM : c4e80875c1cf1222fc5efd0314ae5c01 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll : 1,054,208 : 04/13/2008 06:12 PM : bd38d1ebe24a46bd3eda059560afba12 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll : 1,054,208 : 08/23/2010 10:12 AM : 736b12b725aeb2b07f0241a9f680cb10 [Pos Repl]

 * C:\WINDOWS\System32\comres.dll : 792,064 : 04/13/2008 06:11 PM : 1280a158c722fa95a80fb7aebe78fa7d [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\comres.dll : 792,064 : 08/04/2004 01:56 AM : 6728270cb7dbb776ed086f5ac4c82310 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\comres.dll : 792,064 : 04/13/2008 06:11 PM : 1280a158c722fa95a80fb7aebe78fa7d [Pos Repl]

This continues for pages.

I have run Hitman Pro (found only cookies) MBAM (found 2 Trojan.Agent.IE), SAS (found cookies)  and Avast (found Win32:Malware.gen) to start.  I am working remotely and will work with him to remove his boot time password since I can not get back in when I need to reboot his machine.

Your feel for what is going on with my bullet questions will be appreciated.  This is what Avast says to do to handle the Win32:Malware.gen - http://forum.avast.com/index.php?topic=123900.0 which looks pretty standard.

Thanks a million for your input!
Mags

PS  am I selecting the correct Topics for this type of issue?
0
Mags
Asked:
Mags
  • 3
  • 3
  • 2
  • +2
2 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
If your client got a deeply embedded root kit virus, you may need to rebuild it.

I know he doesn't want to spend much on having me clean it up

So if it badly corrupted (looks like and dead easy to do) what magic does your client propose?

.... Thinkpads_User
0
 
DavidCommented:
Don't sweat it. You probably had some zombie processes.  No matter what O/S you run, you can't always kill all apps.  

You very well might be over thinking the issue.   Do a fresh boot and see if the rkill works.  If it does, chalk it up to experience and move on.
0
 
web_trackerCommented:
I use rkill on a regular basis to kill malware and I have never seen it run longer than 5 minutes unless the application froze up or something killed it. Even on a very slow computer it does not take long to run. I would reboot and try again, as dlerthe states above.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
MagsOwnerAuthor Commented:
Thinkpads_User I want to assist him with having a computer he can use until he is able to replace it in a month or two...That being said I will finish using scans to enable him to at least use his computer.  He has everything backed up.

dlethe and web_tracker I too have used rkill extensively and I have never seen it run this way.  5 minutes max I agree.  I'll attach the first and second log and I have rebooted - it would have kept running but each time I stopped it to start scans.  Should I let it continue to run until it finishes???

My question in regards to rkill are simply to help this situation and to learn -

So in looking at the beginning of the scan what does the following mean:

Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
Possibly Patched Files - he has been having issues with his svchost.exe running extreamly high on memory - what are patched files?
Missing Digital Signatures - which continued to populate and never finished...pages of them - what causes these?

Thank you for your assistance,
Mags
Rkill.txt
Rkill--2.txt
0
 
DavidCommented:
Process terminated means it isn't running anymore but was when app started.
patched files are ones that could have been tampered with . these should be considered suspect files or possible infections


Digital signature is effectively an electronic watermark that is tamperproof.   If it is an adobe file that has the adobe signature than it is 100% safe.

But not everything has a digital signature.  You're talking $300 - $500 annual cost to a developer to get somebody like verisign to authenticate and validate one, and then the developer has to go through extra work to embed the signature in the file.

A missing signature is not necessarily bad, it is bad if the signature in the file does not match the vendor. That would be extremely rare and indication the file has been compromised.
0
 
web_trackerCommented:
try running the different versions of the software such as rkill.scr, iexplorer.exe  , etc.  
Maybe try using roguekiller then run rkill. http://www.bleepingcomputer.com/download/roguekiller/dl/121/
0
 
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
DavidCommented:
The question(s), what are the meanings of the items below:
*Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
* what are patched files?
* Missing Digital Signatures

Were answered in #39610773

Author Web_tracker provided additional info in #39610784

There is nothing else to confirm because these answered the questions.
Points should be split between authors.
0
 
MagsOwnerAuthor Commented:
Hey Guys...I really apologize for not getting back and awarding points.  I have redirected your emails to go into my inbox...I wasn't getting them there and didn't see your reminders.  I am sooooo sorry!!!

It appears points were awarded.  If not please reopen so I may award them.
Thanks,
Mags
0
 
John HurstBusiness Consultant (Owner)Commented:
The question is still open if you wish to award points.
... Thinkpads_User
0
 
MagsOwnerAuthor Commented:
The computer is running fine...he will be replacing it soon.  Thanks for your assistance, especially dlethe who specifically answered my questions.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now