RKill Helps You Remove Fake Anti-Virus and Other Rogues Easily

Chances are if you use the internet you’ve encountered a fake anti-virus application.  They are everywhere these days and they’re getting much better at bypassing conventional anti-virus.

There are lot’s of ways to kill these rogue’s, however Rkill makes it really easy!  The guys over at bleepingcomputer are nice enough to make these tools (and make them free too!) .

Here’s how I use Rkill.

  1. Copy Rkill(s) to a folder on my USB stick.
  2. Make my stick read only (little switch on the stick).
  3. Put the stick in the clients computer with the fake antivirus.
  4. Open a copy of Rkill.
  5. Rkill detects the Rogue and kills the process.
  6. I manually delete the rogue since Rkill provides a log with the rogue’s location.
  7. Run Malwarebytes
  8. If it’s a 32-bit OS I’ll scan for rootkits as well.

Here are the Rkill downloads.  Each Rkill download is essentially the same.   If the fake anti-virus blocks one of them the other is probably going to work.

RKill download links:

 

, ,

47 Responses to RKill Helps You Remove Fake Anti-Virus and Other Rogues Easily

  1. Anakin March 17, 2011 at 9:30 pm #

    Sorry to be a torn in your side Matt but rkill does NOT remove malware. It will only terminate malicious processes so you can remove the infection. Also 99% of the time malware recognizes rkill. So its best to rename rkill to any random name you chose. Such as abc123.exe or 12345.exe. In most cases rkill will not run unless its renamed.

  2. Anakin March 17, 2011 at 9:33 pm #

    Also a rootkit scan should always be done before running MBAM. So the order should be:

    1. Download rkill
    2. Rename rkill and execute it.
    3. Scan for rootkits
    4. Download,install,update and run a full scan with MBAM.
    5. Most malware is easy to spot if you use Process Explorer or Process Hacker.

  3. JimBob March 17, 2011 at 10:30 pm #

    @Anakin

    Matt did not say that Rkill removes malware. He said it “detects the Rogue and kills the process”. That’s quite clear to me.

    I’ve started using it and it really makes things a lot easier. I used it on a 64-bit system last night and was done in 30 minutes (Rkill and MBAM). Since it was a 64-bit system, checking for rootkits was a pointless and unnecessary step.

  4. malwarekilla March 17, 2011 at 11:48 pm #

    @anakin – I know. I typo’d the title of the post, but it was correct in the post content. fixed title.

  5. Anakin March 17, 2011 at 11:56 pm #

    It was the subject line Matt which read “rkill removes malware”.

  6. Anakin March 17, 2011 at 11:58 pm #

    JimBob………………..Your sadly mistaken if you think that a 64 bit OS cannot be infected with a rootkit. That news was released along time ago. Sure a 64 bit OS maybe harder to infect but its not impossible.

    http://www.surfright.nl/en/home/press/64-bit-version-of-windows-appears-vulnerable-for-rootkits

  7. Warwagon March 18, 2011 at 12:18 am #

    I’d also like to point out that 99% of new USB sticks do not have a write protection switch. I’ll admit the ones that do are VERY nice and they are the only ones I buy and the only ones that ever get plugged into a random machine, but you really have to search to find ones that have a write protection switch.

  8. Carlos March 18, 2011 at 1:16 am #

    Matt [a.k.a. malwarekilla] Have you tried ROGUEKILLER instead of RKill to try to kill the running malware processes on an infected PC. It has nothing to do with Rkill which is promoted by Bleeping Computer which is owned by MBAM [malwarebytes.org]. ROGUEKILLER is an independent web-site in French language where its web-master has developed this tool that has the same effect on the fake AV processes as RKill. Try it and let me know how it worked for you: The web-site with download link is : http://www.sur-la-toile.com/RogueKiller/

  9. malwarekilla March 18, 2011 at 2:22 am #

    @anakin – haven’t seen any yet, but it looks like it’s *easily* possible if that’s all the rootkit has to do. Too bad MS makes it so easy to disable driver signing.

  10. estechguy March 18, 2011 at 2:22 am #

    @Anakin – May I ask…What the heck are you trying to do!?

  11. JimBob March 18, 2011 at 2:27 am #

    @Anakin

    I didn’t say it wasn’t possible…but is improbable and rare on 64-bit. Especially so when it’s just a simple Fake AV infection.

  12. malwarekilla March 18, 2011 at 2:46 am #

    agreed…I personally feel that rootkits on a 64-bit OS are the equivalent of serious malware on a mac…you just don’t see it….yet.

  13. Xystren March 18, 2011 at 1:26 pm #

    @Malwarekilla/Matt: “YET” is the operative word. Just give it time, just give it time. It’s only a matter of time – after all that’s what 32-bit OS were supposed to save us from LOL.

  14. estechguy March 18, 2011 at 8:21 pm #

    @Matt – what kind of problems do you see with the clients Macs ?

  15. malwarekilla March 18, 2011 at 9:06 pm #

    @estechguy – usually bad hard drives…not too much really.

  16. Thermalcake March 21, 2011 at 6:07 pm #

    Haven’t seen you reviewing Norton Internet Security 2011. Could you do that? With higher microphone volume than before of course 😉

  17. C. C. March 22, 2011 at 9:44 am #

    Hi Matt
    You might want to take a look at this product which is called Rogue Killer.
    The webpage is in French but the product GUI etc. is in English,
    http://www.sur-la-toile.com/RogueKiller/
    This is a very good product to kill malicious processes.
    Has 6 different modes of operation.

  18. Ted March 22, 2011 at 10:44 am #

    Could you imagine the blood bath if a experienced hacker laid some advanced OS X malware into third party ad servers with bad i_frames on all of the Mac sites. What a blood bath that would be, 98% unprotected computers and clueless naive operators. I run Intego VB X6 to at least have a chance. There will be a day when this happens, just when???

    Was pwned once by a Unix Arc Bomb Trojan that Intego called out, but it could not stop the persistent payload dropper that wanted to drop payloads every 5 mins. Laid in a week old clone to fix.

  19. Mike March 23, 2011 at 4:46 am #

    Keep in mind, all most all variants of the fake antivirus infections will allow you to run ONE program. That is the Internet Explorer. To get a virus killer in the door (like SuperAntiSpyware Portable) first, rename the executable to IExplore.exe. The Fake AV thinks you are helping it to call home..

  20. Doug March 25, 2011 at 5:01 pm #

    Matt,

    I downloaded and ran rkill and PC Tools’ behavior guard picked up about 8 suspicious activities, including addition of items to the startup list. I got nervous, just ‘quarantined’ them all and probably won’t mess with it more.

  21. Shawn March 26, 2011 at 10:09 pm #

    @Mike

    Actually, that will usually not work, because most fake AVs are sophisticated enough to also check the Author of the file, and, sometimes, the MD5 Hash. If either of these isn’t what it expected, then it doesn’t allow the program to run. Unfortunately, simply renaming the file to IExplore.exe won’t help, unless it is a horribly written rogue. That’s why RKill is so popular. If it only took renaming it, then things like RKill wouldn’t exist, because renaming is so much easier. Though you are right, and IE is usually allowed to run.

    Shawn

    Securitynoob

  22. malwarekilla March 28, 2011 at 1:51 pm #

    Doug – Only use RKill if you have a rogue presently active on your PC. I think just about every AV detects Rkill as suspicious.

  23. Anakin March 28, 2011 at 2:21 pm #

    LOL Doug……………Most malware removal tools tell you to disable your real time av. No sense in running rkill unless you are currently infected. Think of rkill as an automatic task manager.

  24. john March 28, 2011 at 2:27 pm #

    matt,

    have you run into any malware that hides in video memory? I heard a security expert in a geek show say it was a new trend.

  25. estechguy March 28, 2011 at 10:47 pm #

    @Anakin – (;

  26. estechguy March 28, 2011 at 10:50 pm #

    😉 *LOL

  27. malwarekilla March 29, 2011 at 3:08 pm #

    @john – I never have, no.

  28. DisGusted_visitor March 29, 2011 at 4:57 pm #

    What did Matt do to tick off Dieselma….er…”Anakin”?
    His style is UNMISTAKABLE.

  29. Carlos March 29, 2011 at 8:17 pm #

    I can’t frigging believe DIESELMAN is Mr. SKYWALKER. [LOL]. DIESELMAN was BANNED from WILDERS FORUMS because of his attitude and I can’t understand why Matt gave him a post as a pseudo “moderator” in his forums. Franky, I can’t understand it.

  30. DisGusted_visitor March 29, 2011 at 9:07 pm #

    Wilder’s and a few others.
    Unfortunately, by the time he was removed as a mod from Matt’s forum, many had given up and moved on.

    I, for one, found the guy so repulsive that I stopped visiting the forum.

    I just happened to stop by, and immediately recognized the overblown self image, the same sophmoric dogma, delusions about being “a pro”, etc.

    In the forum, it was reserved for those other than Matt.

    But, I suspect that something was done to cause him to demonstrate his personality defects to Matt directly.

    And if things go as expected, the comments section of this blog will be dominated by stupid comments from this narcissist – just like the forum was.

    At any rate, glad to see Matt doing vids again.

    I think I’ll see if the vibe on Matt’s YouTube channel is suffering from the input of this goof.

  31. estechguy March 30, 2011 at 1:19 am #

    Never say people can not change from their worst to better. If I am not mistaken someone on this form might have changed for the better and I hope that is true. They know who they are and I can see much good in them. No one on earth has the right to judge who is better than another. May the loving and merciful God we have be in are harts.

  32. Anakin March 30, 2011 at 4:33 pm #

    LOL…………..I love how you guys assume I am this so called Dieselman. What a bunch of losers you are. Get a life. Matt’s forums are a joke and have been for awhile. 4-5 new posts a day. Thats it. The forum is dead.

  33. Nikana March 30, 2011 at 9:28 pm #

    maybe he’s right.
    Theoretically, the could be another adult male on the planet that habitually inserts “LOL” into every other post besides Dieselman.
    Or, maybe “Anakin” is really a 14 year old girl.
    That would explain the “LOL”s AND the attitude.
    Let’s not jump to conclusions.

  34. estechguy March 31, 2011 at 1:08 am #

    Anakin – VERY ANGRY WITH YOU!

  35. Anakin April 1, 2011 at 12:17 am #

    Awwwwwwwwwwww. Your angry. Build a bridge a get over it already.

  36. estechguy April 1, 2011 at 1:42 am #

    Anakin – HAHA…nice try not that kind of angry;)

  37. jery April 4, 2011 at 12:37 am #

    some of you have no respect for matt as well as Dieselman.

    Dieselman has no respect for matt at all.

  38. daem0n April 4, 2011 at 12:54 pm #

    Thanks MATT !! These are pimp !
    I’ve been removing rogues the ol’ fashion way… taskman.
    Man, I’ve been removing rogues like crazy these past couple weeks. Let’s see, system tool, some system tool variant, and antimalware doctor were some of the most popular.
    What amazed me is how all these just let me kill ’em in taskman. It’s like really… that all you got?

    I’ve also been seeing a rash of ransom-ware type crap too. Stuff hiding peoples files, corrupting files and USN journals, potentially holding their files ‘hostage’. I’ve been getting people bringing me their hard drives, they need data recovered after getting some rogue and I found after running check disk the USN Journals are corrupt, essentially orphaning all their files. Running check disk actually fixed the problem on a couple and the others were basically reformatted. And a couple others that had some mad trojan infections (like 40+) had all their files hidden (Docs and Settings + Programs), whatever trojan also erased the reg entries to unhide files from folder options, so they thought their files were deleted. At first I thought, okay, alternate data stream or rootkit. Even though I did find an MBR rootkit on one, turns out just the hidden attrib was set. Putting the reg entries back to check show hidden files from folder options made it easy to restore everything. MBR rootkits, hidden files, corrupting USN Journals … I’m cool with that, just don’t start encrypting files and we’ll be all right!

  39. Shaun Zhang April 4, 2011 at 9:35 pm #

    Do some more video reviews, Matt.

  40. Anakin April 5, 2011 at 5:12 am #

    Ummmmmmmmmmmm. He just did. Subscribe to his YouTube page.

  41. Warwagon April 6, 2011 at 8:27 pm #

    @Matt

    Hi saw your video about Rkill. I saw that in the video you burned it to a dvd because malware tends to delete the file from a flash drive. Do you own any write protected flash drives? They are very hard to come by. PQI makes some good ones that i use. They have a physical switch on the back of the drive which switches write protected mode on or off. I also see this company also makes them

    http://www.amazon.com/Kanguru-Solutions-ALK-8G-8GB-Flashblu/dp/B00190IX40/ref=sr_1_1?ie=UTF8&s=electronics&qid=1302120916&sr=8-1

  42. estechguy April 6, 2011 at 8:35 pm #

    You could get a usb sd card reader and flip the switch on the sd card.

  43. Jonathan Baker May 6, 2011 at 6:04 am #

    I love how your links to the Userinit.exe and Winlogon.exe are viruses

    • malwarekilla May 10, 2011 at 4:11 pm #

      @Jonathan Baker – they’re detected at viruses by almost every anti-virus app.

  44. Jonathan Baker May 19, 2011 at 2:06 am #

    Then I guess it was a coincidence that as soon as I ran (Userinit.exe or Winlogon.exe) security tool rogue virus popped up after I cleaned an infected computer.

  45. mgcod June 3, 2011 at 1:55 am #

    Just went through the rkill process and although the process seemed to work I have a couple of questions.

    Early on in the process when at the command prompt like window rkill said that it had complete its process, there was no list of files and therefore nothing I couild go into file manager to delete manually – it this normal?

    When I ran GMER, unlike in the video there were 26 entries at the Rootkil/Malware tab – what should I do about these and how? For the record my Malwarebytes scan identified 13 malware that I deleted.

    • malwarekilla June 3, 2011 at 1:27 pm #

      @mgcod – rkill is only used to terminate rogue (fake) anti-virus and fake system utilities. If you’re report was essentially blank then it sounds like you don’t have any (or rkill couldn’t spot them). Run a scan with TDSS Killer and let me know if that finds anything.

Leave a Reply