Solved

Rkill issues

Posted on 2013-10-29
12
2,782 Views
Last Modified: 2013-11-22
When I ran Rkill on a clients computer yesterday I let it run for almost 45 mins and it still wasn't finished.  This is a first for me.

This is a Windows XP machine so I know he doesn't want to spend much on having me clean it up.  In looking at the beginning of the scan what does this mean:

Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
Possibly Patched Files - he has been having issues with his svchost.exe running extreamly high on memory - what are patched files?
Missing Digital Signatures - which continued to populate and never finished...pages of them - what causes these?

Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/28/2013 01:35:55 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]

1 proccess terminated!

Possibly Patched Files.

 * C:\WINDOWS\system32\services.exe
 * C:\WINDOWS\system32\lsass.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\spoolsv.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\wbem\wmiprvse.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\ctfmon.exe

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * C:\WINDOWS\System32\clipsrv.exe : 33,280 : 04/13/2008 06:12 PM : 34cbe729f38138217f9c80212a2a0c82 [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\clipsrv.exe : 33,280 : 08/04/2004 01:56 AM : c8dec22c4137d7a90f8bdf41ca4b82ae [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\clipsrv.exe : 33,280 : 04/13/2008 06:12 PM : 34cbe729f38138217f9c80212a2a0c82 [Pos Repl]

 * C:\WINDOWS\System32\comctl32.dll : 617,472 : 08/23/2010 10:12 AM : 93afb83fbc1f9443cac722fca63d73bf [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\comctl32.dll : 617,472 : 08/25/2006 09:45 AM : b0124cb21d28b1c9f678b566b6b57d92 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\comctl32.dll : 617,472 : 04/13/2008 06:11 PM : 06f247492bc786ce5c24a23e178c711a [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\comctl32.dll : 617,472 : 08/23/2010 10:12 AM : 93afb83fbc1f9443cac722fca63d73bf [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll : 921,088 : 06/25/2002 03:36 PM : aef3d788dbf40c7c4d204ea45eb0c505 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll : 1,050,624 : 08/04/2004 01:57 AM : 5af68a5e44734a082442668e9c787743 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll : 1,054,208 : 08/25/2006 09:45 AM : c4e80875c1cf1222fc5efd0314ae5c01 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll : 1,054,208 : 04/13/2008 06:12 PM : bd38d1ebe24a46bd3eda059560afba12 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll : 1,054,208 : 08/23/2010 10:12 AM : 736b12b725aeb2b07f0241a9f680cb10 [Pos Repl]

 * C:\WINDOWS\System32\comres.dll : 792,064 : 04/13/2008 06:11 PM : 1280a158c722fa95a80fb7aebe78fa7d [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\comres.dll : 792,064 : 08/04/2004 01:56 AM : 6728270cb7dbb776ed086f5ac4c82310 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\comres.dll : 792,064 : 04/13/2008 06:11 PM : 1280a158c722fa95a80fb7aebe78fa7d [Pos Repl]

This continues for pages.

I have run Hitman Pro (found only cookies) MBAM (found 2 Trojan.Agent.IE), SAS (found cookies)  and Avast (found Win32:Malware.gen) to start.  I am working remotely and will work with him to remove his boot time password since I can not get back in when I need to reboot his machine.

Your feel for what is going on with my bullet questions will be appreciated.  This is what Avast says to do to handle the Win32:Malware.gen - http://forum.avast.com/index.php?topic=123900.0 which looks pretty standard.

Thanks a million for your input!
Mags

PS  am I selecting the correct Topics for this type of issue?
0
Comment
Question by:MagsMcKinley14
  • 3
  • 3
  • 2
  • +2
12 Comments
 
LVL 91

Expert Comment

by:John Hurst
ID: 39610454
If your client got a deeply embedded root kit virus, you may need to rebuild it.

I know he doesn't want to spend much on having me clean it up

So if it badly corrupted (looks like and dead easy to do) what magic does your client propose?

.... Thinkpads_User
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39610486
Don't sweat it. You probably had some zombie processes.  No matter what O/S you run, you can't always kill all apps.  

You very well might be over thinking the issue.   Do a fresh boot and see if the rkill works.  If it does, chalk it up to experience and move on.
0
 
LVL 18

Expert Comment

by:web_tracker
ID: 39610731
I use rkill on a regular basis to kill malware and I have never seen it run longer than 5 minutes unless the application froze up or something killed it. Even on a very slow computer it does not take long to run. I would reboot and try again, as dlerthe states above.
0
 

Author Comment

by:MagsMcKinley14
ID: 39610747
Thinkpads_User I want to assist him with having a computer he can use until he is able to replace it in a month or two...That being said I will finish using scans to enable him to at least use his computer.  He has everything backed up.

dlethe and web_tracker I too have used rkill extensively and I have never seen it run this way.  5 minutes max I agree.  I'll attach the first and second log and I have rebooted - it would have kept running but each time I stopped it to start scans.  Should I let it continue to run until it finishes???

My question in regards to rkill are simply to help this situation and to learn -

So in looking at the beginning of the scan what does the following mean:

Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
Possibly Patched Files - he has been having issues with his svchost.exe running extreamly high on memory - what are patched files?
Missing Digital Signatures - which continued to populate and never finished...pages of them - what causes these?

Thank you for your assistance,
Mags
Rkill.txt
Rkill--2.txt
0
 
LVL 47

Accepted Solution

by:
dlethe earned 400 total points
ID: 39610773
Process terminated means it isn't running anymore but was when app started.
patched files are ones that could have been tampered with . these should be considered suspect files or possible infections


Digital signature is effectively an electronic watermark that is tamperproof.   If it is an adobe file that has the adobe signature than it is 100% safe.

But not everything has a digital signature.  You're talking $300 - $500 annual cost to a developer to get somebody like verisign to authenticate and validate one, and then the developer has to go through extra work to embed the signature in the file.

A missing signature is not necessarily bad, it is bad if the signature in the file does not match the vendor. That would be extremely rare and indication the file has been compromised.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 18

Assisted Solution

by:web_tracker
web_tracker earned 100 total points
ID: 39610784
try running the different versions of the software such as rkill.scr, iexplorer.exe  , etc.  
Maybe try using roguekiller then run rkill. http://www.bleepingcomputer.com/download/roguekiller/dl/121/
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39662242
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39662243
The question(s), what are the meanings of the items below:
*Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
* what are patched files?
* Missing Digital Signatures

Were answered in #39610773

Author Web_tracker provided additional info in #39610784

There is nothing else to confirm because these answered the questions.
Points should be split between authors.
0
 

Author Comment

by:MagsMcKinley14
ID: 39664087
Hey Guys...I really apologize for not getting back and awarding points.  I have redirected your emails to go into my inbox...I wasn't getting them there and didn't see your reminders.  I am sooooo sorry!!!

It appears points were awarded.  If not please reopen so I may award them.
Thanks,
Mags
0
 
LVL 91

Expert Comment

by:John Hurst
ID: 39664098
The question is still open if you wish to award points.
... Thinkpads_User
0
 

Author Closing Comment

by:MagsMcKinley14
ID: 39664536
The computer is running fine...he will be replacing it soon.  Thanks for your assistance, especially dlethe who specifically answered my questions.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now