Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[RogueKiller] Official Tutorial

- - - - -

  • Please log in to reply

#1
Tigzy

Tigzy

    Developer

  • Expert
  • 254 posts

Hello

Here's the official user guide for the release 12.

Since I'm now hosting it on my website, it's easier to modify on one place only:

 

http://www.adlice.co...iller/tutorial/


Edited by Tigzy, 05 July 2016 - 08:35 AM.

  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,470 posts
Nice!

Thanks Tigzy. :thumbsup:
  • 0

#3
Tigzy

Tigzy

    Developer

  • Topic Starter
  • Expert
  • 254 posts
Thanks admin! :)
It's now released, I've updated the main page: http://www.geekstogo...13-roguekiller/
  • 0

#4
Aaflac

Aaflac

    Visiting Staff

  • Visiting Consultant
  • 26 posts
That is quite a re-doing of RogueKiller!!

Excellent job, Tigzy. :thumbsup:

Hope we can ask questions here, otherwise, please move this post to the appropriate area.


Would like to run this by you, since it appears some things have changed.


In the old RogueKiller (RK), in [Mode: Suppression][Delete], some entries were Deleted, but some were Replaced.

Example:
Mode: Suppression -- Date : 27/01/2012 19:02:30

¤¤¤ Processus malicieux: 0 ¤¤¤

¤¤¤ Entrees de registre: 2 ¤¤¤
[IFEO] HKLM\[...]\Image File Execution Options : keygen.exe (StripMyRights.exe /D /L N) -> DELETED
[FILEASSO] HKCR\.exe : (mdaw) -> REPLACED (exefile)

¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤


Question #1:
In the updated GUI version of RK, do I understand correctly that [Mode: Suppression] only Deletes Registry entries, and does not Replace, as shown in the example below?

Example:

¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[FILEASSO] HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command : ("D:\Documents and Settings\user\Local Settings\Application Data\uqt.exe" -a "D:\Documents and Settings\user\My Documents\browser\1-ff5-install\firefox.exe" -safe-mode) -> REPLACED ("D:\Program Files\mozilla firefox\firefox.exe" -safe-mode)



Question #2:
Does [Mode: Suppression] still identify Bad Processes and Kills them?

Example :

¤¤¤ Bad processes: 2 ¤¤¤
[WINDOW : Vista Security 2012] ddj.exe -- C:\Users\Owner\AppData\Local\ddj.exe -> KILLED [TermProc]
[WINDOW : Vista Security 2012] ddj.exe -- C:\Users\Owner\AppData\Local\ddj.exe -> KILLED [TermProc]

Would presume these would appear under the Processes tab.


//////////////////////////////////////////////////////////////////////////////////////////////////////

Have the following report:

RogueKiller V7.0.0 [01/26/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: abc [Admin rights]
Mode: Scan -- Date : 01/27/2012 22:47:59

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[FILEASSO] HKCU\Software\Classes\.exe\shell\open\command : ("C:\Users\abc\AppData\Local\etc.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKUS\S-1-5-21-4240963322-405707203-1627527460-1003\Software\Classes\.exe\shell\open\command : ("C:\Users\abc\AppData\Local\etc.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\.exe\shell\open\command : ("C:\Users\abc\AppData\Local\etc.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\.exe : (84) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 activate.adobe.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 490dc69e34d898f53e7cc8293b2a11c3
[BSP] e7ed3c0a0631b429a3edfcd7330e50c2 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 2048 | Size: 16106 Mo

1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 31459328 | Size: 104 Mo

2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 31664128 | Size: 241539 Mo

3 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 503420928 | Size: 242355 Mo

User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt


Question 3:
In the above report, since there is an infection identified [¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤] would the correct action be to check the entries that follow,
and then use [Mode: Suppression][Delete]:

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


Question #4:
Do the [FILEASSO] Registry entries also appear under the Registry tab, under the Shortcuts tab, or in both tabs?



Merci pour votre aide!!
  • 0

#5
Tigzy

Tigzy

    Developer

  • Topic Starter
  • Expert
  • 254 posts
Hello

In the updated GUI version of RK, do I understand correctly that [Mode: Suppression] only Deletes Registry entries, and does not Replace, as shown in the example below?


This is as previously, it depends on the kind of key.
A RUN Key can be delete, and f.i. an association key can only be replaced by its legit value

Does [Mode: Suppression] still identify Bad Processes and Kills them?


No. Now, only the prescan kick the bad processes.
But there's a "residu" module, which performs a quick scan of process to see if some have been reactivated

Would presume these would appear under the Processes tab.

Exactly :)

In the above report, since there is an infection identified [¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤] would the correct action be to check the entries that follow,and then use [Mode: Suppression][Delete]:


Actually, in Rogue.AntiSpy-AH, "AH" means "Association Hijack"
The infection is so flagged due to the FILEASSO lines.

These 2 lines can even be unchecked in this case:

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


Do the [FILEASSO] Registry entries also appear under the Registry tab, under the Shortcuts tab, or in both tabs?

All the lines that aren't PROXY / DNS are located in the registry tab, and can be checked / unchecked before fix

Shortcut tab is a button to fix files hidden / moved by rogues of type "Fake HDD" (System check f.i)
  • 0

#6
Aaflac

Aaflac

    Visiting Staff

  • Visiting Consultant
  • 26 posts
Thanks for the clarification, Tigzy.

So, in the full report above, all six entries will appear checked under the Registry tab.

The course of action is:

1. Uncheck these two entries:
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


2. Make sure the four [FILEASSO] Registry entries remain checked.

3. Press the [Delete] button.

Since association keys [FILEASSO] can only be replaced by their legit value, the [Delete] action will replace them.



So, it appears the mode of operation of the old RK and the new RK are basically the same, otherwise.


However, you have also added the Drivers tab, and some new functionality that was not there before.
  • 0

#7
Tigzy

Tigzy

    Developer

  • Topic Starter
  • Expert
  • 254 posts
First post edited: Added video
  • 0

#8
Brandon Jones

Brandon Jones

    Member

  • Member
  • PipPip
  • 57 posts
What is the purpose of the DRV box at the top of Rouge Killer? When Rouge Killer first starts, it is green. After the initial scan it turns green. Also is there anyway we could get English subtitles on the tutorial video?

Thanks Tigzy!
  • 0

#9
Tigzy

Tigzy

    Developer

  • Topic Starter
  • Expert
  • 254 posts
DRV = Driver :)
When the driver is loaded, it turns into green

I'll think about english subs. I just need time :)
  • 0

#10
Brandon Jones

Brandon Jones

    Member

  • Member
  • PipPip
  • 57 posts
Thanks.
  • 0

Advertisements


#11
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,011 posts
Hi Tigzy,

Thanks for the Tutorial and Tool. :thumbsup:
  • 0

#12
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,011 posts
Hi Tigzy,

Is there any way to run the tool without checking for updates?

If the tool is executed on computer without the network connection active it gets stuck checking for updates.

Thanks.
  • 0

#13
Tigzy

Tigzy

    Developer

  • Topic Starter
  • Expert
  • 254 posts
I'll have a look on how fix this :)
  • 0

#14
Tigzy

Tigzy

    Developer

  • Topic Starter
  • Expert
  • 254 posts
Can you test with the latest? 8.2.0
  • 0

#15
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,011 posts

Can you test with the latest? 8.2.0


Hi,

The new version works fine without the network. :thumbsup:

Thanks.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP