That is quite a re-doing of RogueKiller!!
Excellent job,
Tigzy.
Hope we can ask questions here, otherwise, please move this post to the appropriate area.
Would like to run this by you, since it appears some things have changed.
In the old RogueKiller (RK), in [Mode: Suppression][Delete], some entries were Deleted, but some were Replaced.
Example:
Mode: Suppression -- Date : 27/01/2012 19:02:30
¤¤¤ Processus malicieux: 0 ¤¤¤
¤¤¤ Entrees de registre: 2 ¤¤¤
[IFEO] HKLM\[...]\Image File Execution Options : keygen.exe (StripMyRights.exe /D /L N) -> DELETED
[FILEASSO] HKCR\.exe : (mdaw) -> REPLACED (exefile)
¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
¤¤¤ Driver: [LOADED] ¤¤¤
¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤
Question #1:
In the updated GUI version of RK, do I understand correctly that [Mode: Suppression] only
Deletes Registry entries, and does not Replace, as shown in the example below?
Example:
¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[FILEASSO] HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command : ("D:\Documents and Settings\user\Local Settings\Application Data\uqt.exe" -a "D:\Documents and Settings\user\My Documents\browser\1-ff5-install\firefox.exe" -safe-mode) -> REPLACED ("D:\Program Files\mozilla firefox\firefox.exe" -safe-mode)
Question #2:
Does [Mode: Suppression] still identify Bad Processes and Kills them?
Example :
¤¤¤ Bad processes: 2 ¤¤¤
[WINDOW : Vista Security 2012] ddj.exe -- C:\Users\Owner\AppData\Local\ddj.exe -> KILLED [TermProc]
[WINDOW : Vista Security 2012] ddj.exe -- C:\Users\Owner\AppData\Local\ddj.exe -> KILLED [TermProc]
Would presume these would appear under the Processes tab.
//////////////////////////////////////////////////////////////////////////////////////////////////////
Have the following report:
RogueKiller V7.0.0 [01/26/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback:
http://www.geekstogo...13-roguekiller/Blog:
http://tigzyrk.blogspot.comOperating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: abc [Admin rights]
Mode: Scan -- Date : 01/27/2012 22:47:59
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 6 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[FILEASSO] HKCU\Software\Classes\.exe\shell\open\command : ("C:\Users\abc\AppData\Local\etc.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKUS\S-1-5-21-4240963322-405707203-1627527460-1003\Software\Classes\.exe\shell\open\command : ("C:\Users\abc\AppData\Local\etc.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\.exe\shell\open\command : ("C:\Users\abc\AppData\Local\etc.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\.exe : (84) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 activate.adobe.com
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 490dc69e34d898f53e7cc8293b2a11c3
[BSP] e7ed3c0a0631b429a3edfcd7330e50c2 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 2048 | Size: 16106 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 31459328 | Size: 104 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 31664128 | Size: 241539 Mo
3 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 503420928 | Size: 242355 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt
Question 3:
In the above report, since there is an infection identified [¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤] would the correct action be to check the entries that follow,
and then use [Mode: Suppression][Delete]:
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
Question #4:
Do the [FILEASSO] Registry entries also appear under the Registry tab, under the Shortcuts tab, or in both tabs?
Merci pour votre aide!!