Solved

Rkill issues

Posted on 2013-10-29
12
2,964 Views
Last Modified: 2013-11-22
When I ran Rkill on a clients computer yesterday I let it run for almost 45 mins and it still wasn't finished.  This is a first for me.

This is a Windows XP machine so I know he doesn't want to spend much on having me clean it up.  In looking at the beginning of the scan what does this mean:

Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
Possibly Patched Files - he has been having issues with his svchost.exe running extreamly high on memory - what are patched files?
Missing Digital Signatures - which continued to populate and never finished...pages of them - what causes these?

Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/28/2013 01:35:55 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]

1 proccess terminated!

Possibly Patched Files.

 * C:\WINDOWS\system32\services.exe
 * C:\WINDOWS\system32\lsass.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\spoolsv.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\wbem\wmiprvse.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\ctfmon.exe

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * C:\WINDOWS\System32\clipsrv.exe : 33,280 : 04/13/2008 06:12 PM : 34cbe729f38138217f9c80212a2a0c82 [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\clipsrv.exe : 33,280 : 08/04/2004 01:56 AM : c8dec22c4137d7a90f8bdf41ca4b82ae [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\clipsrv.exe : 33,280 : 04/13/2008 06:12 PM : 34cbe729f38138217f9c80212a2a0c82 [Pos Repl]

 * C:\WINDOWS\System32\comctl32.dll : 617,472 : 08/23/2010 10:12 AM : 93afb83fbc1f9443cac722fca63d73bf [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\comctl32.dll : 617,472 : 08/25/2006 09:45 AM : b0124cb21d28b1c9f678b566b6b57d92 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\comctl32.dll : 617,472 : 04/13/2008 06:11 PM : 06f247492bc786ce5c24a23e178c711a [Pos Repl]
 +-> C:\WINDOWS\system32\dllcache\comctl32.dll : 617,472 : 08/23/2010 10:12 AM : 93afb83fbc1f9443cac722fca63d73bf [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll : 921,088 : 06/25/2002 03:36 PM : aef3d788dbf40c7c4d204ea45eb0c505 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll : 1,050,624 : 08/04/2004 01:57 AM : 5af68a5e44734a082442668e9c787743 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll : 1,054,208 : 08/25/2006 09:45 AM : c4e80875c1cf1222fc5efd0314ae5c01 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll : 1,054,208 : 04/13/2008 06:12 PM : bd38d1ebe24a46bd3eda059560afba12 [Pos Repl]
 +-> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll : 1,054,208 : 08/23/2010 10:12 AM : 736b12b725aeb2b07f0241a9f680cb10 [Pos Repl]

 * C:\WINDOWS\System32\comres.dll : 792,064 : 04/13/2008 06:11 PM : 1280a158c722fa95a80fb7aebe78fa7d [NoSig]
 +-> C:\WINDOWS\$NtServicePackUninstall$\comres.dll : 792,064 : 08/04/2004 01:56 AM : 6728270cb7dbb776ed086f5ac4c82310 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\comres.dll : 792,064 : 04/13/2008 06:11 PM : 1280a158c722fa95a80fb7aebe78fa7d [Pos Repl]

This continues for pages.

I have run Hitman Pro (found only cookies) MBAM (found 2 Trojan.Agent.IE), SAS (found cookies)  and Avast (found Win32:Malware.gen) to start.  I am working remotely and will work with him to remove his boot time password since I can not get back in when I need to reboot his machine.

Your feel for what is going on with my bullet questions will be appreciated.  This is what Avast says to do to handle the Win32:Malware.gen - http://forum.avast.com/index.php?topic=123900.0 which looks pretty standard.

Thanks a million for your input!
Mags

PS  am I selecting the correct Topics for this type of issue?
0
Comment
Question by:MagsMcKinley14
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
12 Comments
 
LVL 95

Expert Comment

by:John Hurst
ID: 39610454
If your client got a deeply embedded root kit virus, you may need to rebuild it.

I know he doesn't want to spend much on having me clean it up

So if it badly corrupted (looks like and dead easy to do) what magic does your client propose?

.... Thinkpads_User
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39610486
Don't sweat it. You probably had some zombie processes.  No matter what O/S you run, you can't always kill all apps.  

You very well might be over thinking the issue.   Do a fresh boot and see if the rkill works.  If it does, chalk it up to experience and move on.
0
 
LVL 18

Expert Comment

by:web_tracker
ID: 39610731
I use rkill on a regular basis to kill malware and I have never seen it run longer than 5 minutes unless the application froze up or something killed it. Even on a very slow computer it does not take long to run. I would reboot and try again, as dlerthe states above.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:MagsMcKinley14
ID: 39610747
Thinkpads_User I want to assist him with having a computer he can use until he is able to replace it in a month or two...That being said I will finish using scans to enable him to at least use his computer.  He has everything backed up.

dlethe and web_tracker I too have used rkill extensively and I have never seen it run this way.  5 minutes max I agree.  I'll attach the first and second log and I have rebooted - it would have kept running but each time I stopped it to start scans.  Should I let it continue to run until it finishes???

My question in regards to rkill are simply to help this situation and to learn -

So in looking at the beginning of the scan what does the following mean:

Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
Possibly Patched Files - he has been having issues with his svchost.exe running extreamly high on memory - what are patched files?
Missing Digital Signatures - which continued to populate and never finished...pages of them - what causes these?

Thank you for your assistance,
Mags
Rkill.txt
Rkill--2.txt
0
 
LVL 47

Accepted Solution

by:
dlethe earned 400 total points
ID: 39610773
Process terminated means it isn't running anymore but was when app started.
patched files are ones that could have been tampered with . these should be considered suspect files or possible infections


Digital signature is effectively an electronic watermark that is tamperproof.   If it is an adobe file that has the adobe signature than it is 100% safe.

But not everything has a digital signature.  You're talking $300 - $500 annual cost to a developer to get somebody like verisign to authenticate and validate one, and then the developer has to go through extra work to embed the signature in the file.

A missing signature is not necessarily bad, it is bad if the signature in the file does not match the vendor. That would be extremely rare and indication the file has been compromised.
0
 
LVL 18

Assisted Solution

by:web_tracker
web_tracker earned 100 total points
ID: 39610784
try running the different versions of the software such as rkill.scr, iexplorer.exe  , etc.  
Maybe try using roguekiller then run rkill. http://www.bleepingcomputer.com/download/roguekiller/dl/121/
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39662242
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39662243
The question(s), what are the meanings of the items below:
*Process terminated - C:\WINDOWS\System32\alg.exe (PID: 3572) [WD-HEUR]
* what are patched files?
* Missing Digital Signatures

Were answered in #39610773

Author Web_tracker provided additional info in #39610784

There is nothing else to confirm because these answered the questions.
Points should be split between authors.
0
 

Author Comment

by:MagsMcKinley14
ID: 39664087
Hey Guys...I really apologize for not getting back and awarding points.  I have redirected your emails to go into my inbox...I wasn't getting them there and didn't see your reminders.  I am sooooo sorry!!!

It appears points were awarded.  If not please reopen so I may award them.
Thanks,
Mags
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39664098
The question is still open if you wish to award points.
... Thinkpads_User
0
 

Author Closing Comment

by:MagsMcKinley14
ID: 39664536
The computer is running fine...he will be replacing it soon.  Thanks for your assistance, especially dlethe who specifically answered my questions.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Questions Vulnerability apps and results 3 161
Microsoft scam computer 10 81
Which browser works with XP 16 565
Symantec Endpoint Production 14 Questions 3 48
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question