Friday, August 26, 2011

Malware Part 2: You are infected, now what.

One of the BNI leaders, Amy LeMieux, pointed out a good resource for fighting malware: Rkill.

 Please don't get click happy and install it right now! It is used for a very specific purpose.

People who write infections are not stupid. They are more aware of what can remove the malady that they created than most. Knowing this, the malware writers often include code that disables your current protections. Once infected , you may also find you cannot INSTALL any of the more common cleaners either(like Malwarebytes which we covered previously).

How will you know? Often, you cannot even browse to a site to download a cleaner(like malwarebytes). Or you do download one and you get a message that the cleaner is infected when you try to install it. Or you try to start your already installed protection and nothing happens.

So where does Rkill come in? Rkill is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools.

Rkill does NOT  clean the infection. It only paves the way for your cleaner of choice to work.
It comes in multiple flavors depending on the infection you have:

Downloads:
rkill.exe – Download from BleepingComputer.com – 257kb
rkill.com – Download from BleepingComputer.com – 257kb
rkill.scr – Download from BleepingComputer.com – 257kb
rkill.pif – Download from BleepingComputer.com – 257kb


When RKill is run it will display a console screen similar to the one below:
Posted Image



 








That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running.

Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected. Examples of these warnings are:




Posted Image






Posted Image


These warnings are just fake alerts by the malware that has hijacked your computer trying to protect itself. Two methods that you can try to get past this and allow RKill to run are:
  • When you receive the warning message, leave the message on the screen and try running RKill again.
  • If that does not work, just keep launching RKill until it catches and stays up long enough to kill the malware
Yes, both methods are not elegant, but they will work if you keep trying. Unfortunately, there is not much better I can do at this point for some malware that are very tenacious at killing all processes that run.

On a final note, when you download and run RKill, certain anti-virus programs may state that the program is a security risk. This is because some of the tools used by RKill can be used for good or bad, though the programs themselves are perfectly harmless, and most anti-virus programs just lump them into the bad category.

A full write-up can be found here:

http://www.bleepingcomputer.com/forums/topic308364.html

Confused? Email me and I will be happy to help.
Tech Guru













Posted by at

1 comment:

  1. arcadaynAugust 29, 2011 at 1:34 PM

    Good stuff! It's very difficult for someone not directly involved with tech to keep abreast of the malware/virsus situation. This stuff helps immensely!

    ReplyDelete

Please keep it clean. Thanks

Subscribe to: Post Comments (Atom)