Herbalist Dr MziziMkavu
JF-Expert Member
- Feb 3, 2009
- 42,318
- 33,125
This topic was created to provide a very brief introduction as to what RKill does and to provide a way a way for people to report false positives of processes that are
terminated. Even though false positives may occur, this should not be considered a problem as you can always launch the programs again or reboot your computer as
no files are removed by running RKill. This topic is not to be used as a support topic for getting RKill to run or for removing specific malware. All information that I
can provide on getting RKill to run will already be given in this topic and if you need help removing malware you can follow the steps here or ask in the Am I Infected? forum.
RKill is a program developed at BleepingComputer.com that was originally designed for the use in our malware removal guides. It was created so that we could have an
easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.
So in summary, RKill just kills processes, imports a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools. When done, RKill will then create a log listing all processes that were terminated
while the program was running. Please note that this will include processes that were terminated manually by the user as well as RKill. I have whitelisted some
processes that are commonly shown as being killed even though they weren't terminated by Rkill, including the program itself, to avoid confusion that a legitimate process was terminated. Other than what is listed above, it does nothing else.
Since RKill only terminates processes, after running it you should not reboot your computer as any malware processes that are set to start automatically, will just
start up again. Instead, after running RKill you should scan your computer using your malware removal tool of choice. If there is a problem after running RKill, just
reboot your computer and you will be back to where you started before running the program. Some great free tools that you can use to scan your computer after running RKill include MalwareBytes' Anti-Malware, SuperAntiSpyware, and Dr.Web CureIt.
RKill can be downloaded from the following locations. Please note that the other filenames below are RKill as well, just renamed in order to allow it run by certain malware.
When RKill is run it will display a console screen similar to the one below:
That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running.
Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected. Examples of these warnings are:
These warnings are just fake alerts by the malware that has hijacked your computer trying to protect itself. Two methods that you can try to get past this and allow RKill to run are:
On a final note, when you download and run RKill, certain anti-virus programs may state that the program is a security risk. This is because some of the tools used by RKill can be used for good or bad, though the programs themselves are perfectly harmless, and most anti-virus programs just lump them into the bad category. I assure you we are using them only for good purposes
A scan from virustotal.com as of 12/02/10 shows the following AV vendors flagging RKill as:
ClamAV 0.96.4.0 2010.12.02 PUA.Packed.PECompact-1
eSafe 7.0.17.0 2010.12.02 Suspicious File
F-Prot 4.6.2.117 2010.12.01 File is damaged
Sophos 4.60.0 2010.12.02 NirCmd
Please be assured that there are no Trojans or infections within RKill.
If you have any other questions about RKill, feel free to post them in the topic. Do not, though, ask questions about how to get RKill to run, unless you can provide a better method to get around the malware blocking it. Also please do not ask about how to remove specific malware. Those questions should be asked in the forums listed earlier in the topic.
hangelog:
12/2/10:
Chombo hicho cha kuondowa Virus, Trojans,Malware,na Worm tumia hichi kablya ya ku Scan anti-Virus yako uwe nacho kila siku ukiona tu Computer yako inakwenda taratibu tumia hichi chombo cha kuuwa Wadudu wote wa Computer.
terminated. Even though false positives may occur, this should not be considered a problem as you can always launch the programs again or reboot your computer as
no files are removed by running RKill. This topic is not to be used as a support topic for getting RKill to run or for removing specific malware. All information that I
can provide on getting RKill to run will already be given in this topic and if you need help removing malware you can follow the steps here or ask in the Am I Infected? forum.
RKill is a program developed at BleepingComputer.com that was originally designed for the use in our malware removal guides. It was created so that we could have an
easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.
So in summary, RKill just kills processes, imports a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools. When done, RKill will then create a log listing all processes that were terminated
while the program was running. Please note that this will include processes that were terminated manually by the user as well as RKill. I have whitelisted some
processes that are commonly shown as being killed even though they weren't terminated by Rkill, including the program itself, to avoid confusion that a legitimate process was terminated. Other than what is listed above, it does nothing else.
Since RKill only terminates processes, after running it you should not reboot your computer as any malware processes that are set to start automatically, will just
start up again. Instead, after running RKill you should scan your computer using your malware removal tool of choice. If there is a problem after running RKill, just
reboot your computer and you will be back to where you started before running the program. Some great free tools that you can use to scan your computer after running RKill include MalwareBytes' Anti-Malware, SuperAntiSpyware, and Dr.Web CureIt.
RKill can be downloaded from the following locations. Please note that the other filenames below are RKill as well, just renamed in order to allow it run by certain malware.
- RKill.com Download Link
- RKill.exe Download Link
- RKill.scr Download Link
- eXplorer.exe Download Link - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
- iExplore.exe Download Link
- WiNlOgOn.exe Download Link
- uSeRiNiT.exe Download Link
When RKill is run it will display a console screen similar to the one below:
That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running.
Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected. Examples of these warnings are:
These warnings are just fake alerts by the malware that has hijacked your computer trying to protect itself. Two methods that you can try to get past this and allow RKill to run are:
- When you receive the warning message, leave the message on the screen and try running RKill again.
- If that does not work, just keep launching RKill until it catches and stays up long enough to kill the malware
On a final note, when you download and run RKill, certain anti-virus programs may state that the program is a security risk. This is because some of the tools used by RKill can be used for good or bad, though the programs themselves are perfectly harmless, and most anti-virus programs just lump them into the bad category. I assure you we are using them only for good purposes
A scan from virustotal.com as of 12/02/10 shows the following AV vendors flagging RKill as:
ClamAV 0.96.4.0 2010.12.02 PUA.Packed.PECompact-1
eSafe 7.0.17.0 2010.12.02 Suspicious File
F-Prot 4.6.2.117 2010.12.01 File is damaged
Sophos 4.60.0 2010.12.02 NirCmd
Please be assured that there are no Trojans or infections within RKill.
If you have any other questions about RKill, feel free to post them in the topic. Do not, though, ask questions about how to get RKill to run, unless you can provide a better method to get around the malware blocking it. Also please do not ask about how to remove specific malware. Those questions should be asked in the forums listed earlier in the topic.
hangelog:
12/2/10:
- Major rewrite of the program to be more effective.
- No longer terminates explorer as that was restarted applications running from Runonce.
- Uses a whitelist for displaying the processes that were killed. This is so it no longer shows itself as being killed and some other processes that were always displayed in Vista and Windows 7 even though Rkill didn't terminate them.
- Cleaned up output.
Chombo hicho cha kuondowa Virus, Trojans,Malware,na Worm tumia hichi kablya ya ku Scan anti-Virus yako uwe nacho kila siku ukiona tu Computer yako inakwenda taratibu tumia hichi chombo cha kuuwa Wadudu wote wa Computer.
