Jump to content

Welcome to Geeks to Go - Register now for FREE
Geeks To Go is a helpful hub, where thousands of friendly volunteers serve up answers and support. Get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message and all ads will be removed once you have signed in.
Create an Account Login to Account

[RogueKiller] Official Tutorial

- - - - -

  • Please log in to reply

#1
Tigzy

Tigzy

    Developer

  • Expert
  • 241 posts
Hello

Here's the official user guide for the release 7.

*** Vidéo tutorial (texts in French, I'll add annotations in english soon)

http://www.youtube.com/watch?v=kkd30mefyrU


  • Download on the desktop RogueKiller (by tigzy)
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan

prescan.png


  • Wait for the end of the scan. For now, there's no modification on the system
  • The report has been created on the desktop. We can also open it with the Report button.
    It can be useful for the helper who follow you.
  • In the Registry tab, uncheck the eventual false positives.
  • Click on the Delete button.
    Unlike the scan button, this one deletes every line checked in the registry tab and so modifies the system.

delete.png


  • The report has been created on the desktop. We can also open it with the Report button.
    It can be useful for the helper who follow you.

_________________________________________________________________________


  • The scan / delete reports also shows if Proxy / DNS configurations has been found.
    These lines will be found in the tabs of the same names.
    These lines aren't inevitably malware. Before to fix them, ensure they are not legit.
  • To fix them, use the corresponding buttons (ProxyFix, DNSFix)

proxydns.png


  • The report has been created on the desktop. We can also open it with the Report button.
    It can be useful for the helper who follow you.


_________________________________________________________________________


  • In the Hosts tab, we can see the hosts file of the PC.
  • If it had been corrupted (by a malware), use the HostFix button to erase it with a good copy.

hosts.png


  • The report has been created on the desktop. We can also open it with the Report button.
    It can be useful for the helper who follow you.

_________________________________________________________________________


  • If you face a FakeHDD rogue (which hides files and shortcuts), you can use the ShtctFix button
  • This option should not be used in other cases, cause it's not without consequences on the system

raccourcis.png


  • The report has been created on the desktop. We can also open it with the Report button.
    It can be useful for the helper who follow you.

_________________________________________________________________________


  • In the Driver tab, we can see hooks made into the windows kernel (x86 only)
  • If some SSDT indexes are malware, we can restore original index by left click on the line => Restore SSDT
    Warning : this manipulation can crash the PC. If you don't know what you're doing, don't use this.

driver.png


Edited by Tigzy, 07 September 2012 - 01:07 AM.

  • 0

Advertisement


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,094 posts
  • MVP
Nice!

Thanks Tigzy. :thumbsup:
  • 0

#3
Tigzy

Tigzy

    Developer

  • Expert
  • 241 posts
Thanks admin! :)
It's now released, I've updated the main page: http://www.geekstogo...13-roguekiller/
  • 0

#4
Aaflac

Aaflac

    Visiting Staff

  • Visiting Consultant
  • 26 posts
That is quite a re-doing of RogueKiller!!

Excellent job, Tigzy. :thumbsup:

Hope we can ask questions here, otherwise, please move this post to the appropriate area.


Would like to run this by you, since it appears some things have changed.


In the old RogueKiller (RK), in [Mode: Suppression][Delete], some entries were Deleted, but some were Replaced.

Example:
Mode: Suppression -- Date : 27/01/2012 19:02:30

¤¤¤ Processus malicieux: 0 ¤¤¤

¤¤¤ Entrees de registre: 2 ¤¤¤
[IFEO] HKLM\[...]\Image File Execution Options : keygen.exe (StripMyRights.exe /D /L N) -> DELETED
[FILEASSO] HKCR\.exe : (mdaw) -> REPLACED (exefile)

¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤


Question #1:
In the updated GUI version of RK, do I understand correctly that [Mode: Suppression] only Deletes Registry entries, and does not Replace, as shown in the example below?

Example:

¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[FILEASSO] HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command : ("D:\Documents and Settings\user\Local Settings\Application Data\uqt.exe" -a "D:\Documents and Settings\user\My Documents\browser\1-ff5-install\firefox.exe" -safe-mode) -> REPLACED ("D:\Program Files\mozilla firefox\firefox.exe" -safe-mode)



Question #2:
Does [Mode: Suppression] still identify Bad Processes and Kills them?

Example :

¤¤¤ Bad processes: 2 ¤¤¤
[WINDOW : Vista Security 2012] ddj.exe -- C:\Users\Owner\AppData\Local\ddj.exe -> KILLED [TermProc]
[WINDOW : Vista Security 2012] ddj.exe -- C:\Users\Owner\AppData\Local\ddj.exe -> KILLED [TermProc]

Would presume these would appear under the Processes tab.


//////////////////////////////////////////////////////////////////////////////////////////////////////

Have the following report:

RogueKiller V7.0.0 [01/26/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: abc [Admin rights]
Mode: Scan -- Date : 01/27/2012 22:47:59

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[FILEASSO] HKCU\Software\Classes\.exe\shell\open\command : ("C:\Users\abc\AppData\Local\etc.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKUS\S-1-5-21-4240963322-405707203-1627527460-1003\Software\Classes\.exe\shell\open\command : ("C:\Users\abc\AppData\Local\etc.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\.exe\shell\open\command : ("C:\Users\abc\AppData\Local\etc.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\.exe : (84) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 activate.adobe.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 490dc69e34d898f53e7cc8293b2a11c3
[BSP] e7ed3c0a0631b429a3edfcd7330e50c2 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 2048 | Size: 16106 Mo

1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 31459328 | Size: 104 Mo

2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 31664128 | Size: 241539 Mo

3 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 503420928 | Size: 242355 Mo

User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt


Question 3:
In the above report, since there is an infection identified [¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤] would the correct action be to check the entries that follow,
and then use [Mode: Suppression][Delete]:

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


Question #4:
Do the [FILEASSO] Registry entries also appear under the Registry tab, under the Shortcuts tab, or in both tabs?



Merci pour votre aide!!
  • 0

#5
Tigzy

Tigzy

    Developer

  • Expert
  • 241 posts
Hello

In the updated GUI version of RK, do I understand correctly that [Mode: Suppression] only Deletes Registry entries, and does not Replace, as shown in the example below?


This is as previously, it depends on the kind of key.
A RUN Key can be delete, and f.i. an association key can only be replaced by its legit value

Does [Mode: Suppression] still identify Bad Processes and Kills them?


No. Now, only the prescan kick the bad processes.
But there's a "residu" module, which performs a quick scan of process to see if some have been reactivated

Would presume these would appear under the Processes tab.

Exactly :)

In the above report, since there is an infection identified [¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤] would the correct action be to check the entries that follow,and then use [Mode: Suppression][Delete]:


Actually, in Rogue.AntiSpy-AH, "AH" means "Association Hijack"
The infection is so flagged due to the FILEASSO lines.

These 2 lines can even be unchecked in this case:

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


Do the [FILEASSO] Registry entries also appear under the Registry tab, under the Shortcuts tab, or in both tabs?

All the lines that aren't PROXY / DNS are located in the registry tab, and can be checked / unchecked before fix

Shortcut tab is a button to fix files hidden / moved by rogues of type "Fake HDD" (System check f.i)
  • 0

#6
Aaflac

Aaflac

    Visiting Staff

  • Visiting Consultant
  • 26 posts
Thanks for the clarification, Tigzy.

So, in the full report above, all six entries will appear checked under the Registry tab.

The course of action is:

1. Uncheck these two entries:
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


2. Make sure the four [FILEASSO] Registry entries remain checked.

3. Press the [Delete] button.

Since association keys [FILEASSO] can only be replaced by their legit value, the [Delete] action will replace them.



So, it appears the mode of operation of the old RK and the new RK are basically the same, otherwise.


However, you have also added the Drivers tab, and some new functionality that was not there before.
  • 0

#7
Tigzy

Tigzy

    Developer

  • Expert
  • 241 posts
First post edited: Added video
  • 0

#8
Brandon Jones

Brandon Jones

    Member

  • Member
  • PipPip
  • 57 posts
What is the purpose of the DRV box at the top of Rouge Killer? When Rouge Killer first starts, it is green. After the initial scan it turns green. Also is there anyway we could get English subtitles on the tutorial video?

Thanks Tigzy!
  • 0

#9
Tigzy

Tigzy

    Developer

  • Expert
  • 241 posts
DRV = Driver :)
When the driver is loaded, it turns into green

I'll think about english subs. I just need time :)
  • 0

#10
Brandon Jones

Brandon Jones

    Member

  • Member
  • PipPip
  • 57 posts
Thanks.
  • 0
<

Advertisement


#11
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 3,182 posts
Hi Tigzy,

Thanks for the Tutorial and Tool. :thumbsup:
  • 0

#12
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 3,182 posts
Hi Tigzy,

Is there any way to run the tool without checking for updates?

If the tool is executed on computer without the network connection active it gets stuck checking for updates.

Thanks.
  • 0

#13
Tigzy

Tigzy

    Developer

  • Expert
  • 241 posts
I'll have a look on how fix this :)
  • 0

#14
Tigzy

Tigzy

    Developer

  • Expert
  • 241 posts
Can you test with the latest? 8.2.0
  • 0

#15
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 3,182 posts

Can you test with the latest? 8.2.0


Hi,

The new version works fine without the network. :thumbsup:

Thanks.
  • 0

Advertisement




Similar Topics: [RogueKiller] Official Tutorial     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured