[Tigzy]

Hello

Here's the official user guide for the release 7.

*** Vidéo tutorial (texts in French, I'll add annotations in english soon)

• Download on the desktop RogueKiller (by tigzy)
  
• Quit all programs
  
• Start RogueKiller.exe.
  
• Wait until Prescan has finished ...
  
• Click on Scan

• Wait for the end of the scan. For now, there's no modification on the system
  
• The report has been created on the desktop. We can also open it with the Report button.
  It can be useful for the helper who follow you.
  
• In the Registry tab, uncheck the eventual false positives.
  
• Click on the Delete button.
  Unlike the scan button, this one deletes every line checked in the registry tab and so modifies the system.

• The report has been created on the desktop. We can also open it with the Report button.
  It can be useful for the helper who follow you.

_________________________________________________________________________

• The scan / delete reports also shows if Proxy / DNS configurations has been found.
  These lines will be found in the tabs of the same names.
  These lines aren't inevitably malware. Before to fix them, ensure they are not legit.
  
• To fix them, use the corresponding buttons (ProxyFix, DNSFix)

• The report has been created on the desktop. We can also open it with the Report button.
  It can be useful for the helper who follow you.

_________________________________________________________________________

• In the Hosts tab, we can see the hosts file of the PC.
  
• If it had been corrupted (by a malware), use the HostFix button to erase it with a good copy.

• The report has been created on the desktop. We can also open it with the Report button.
  It can be useful for the helper who follow you.

_________________________________________________________________________

• If you face a FakeHDD rogue (which hides files and shortcuts), you can use the ShtctFix button
  
• This option should not be used in other cases, cause it's not without consequences on the system

• The report has been created on the desktop. We can also open it with the Report button.
  It can be useful for the helper who follow you.

_________________________________________________________________________

• In the Driver tab, we can see hooks made into the windows kernel (x86 only)
  
• If some SSDT indexes are malware, we can restore original index by left click on the line => Restore SSDT
  Warning : this manipulation can crash the PC. If you don't know what you're doing, don't use this.

[admin]

Nice!

Thanks Tigzy.

[Tigzy]

Thanks admin!
It's now released, I've updated the main page: http://www.geekstogo...13-roguekiller/

[Aaflac]

That is quite a re-doing of RogueKiller!!

Excellent job, Tigzy.

Hope we can ask questions here, otherwise, please move this post to the appropriate area.


Would like to run this by you, since it appears some things have changed.


In the old RogueKiller (RK), in [Mode: Suppression][Delete], some entries were Deleted, but some were Replaced.

Example:
Mode: Suppression -- Date : 27/01/2012 19:02:30

¤¤¤ Processus malicieux: 0 ¤¤¤

¤¤¤ Entrees de registre: 2 ¤¤¤
[IFEO] HKLM\[...]\Image File Execution Options : keygen.exe (StripMyRights.exe /D /L N) -> DELETED
[FILEASSO] HKCR\.exe : (mdaw) -> REPLACED (exefile)

¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤


Question #1:
In the updated GUI version of RK, do I understand correctly that [Mode: Suppression] only Deletes Registry entries, and does not Replace, as shown in the example below?

Example:

¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[FILEASSO] HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command : ("D:\Documents and Settings\user\Local Settings\Application Data\uqt.exe" -a "D:\Documents and Settings\user\My Documents\browser\1-ff5-install\firefox.exe" -safe-mode) -> REPLACED ("D:\Program Files\mozilla firefox\firefox.exe" -safe-mode)



Question #2:
Does [Mode: Suppression] still identify Bad Processes and Kills them?

Example :

¤¤¤ Bad processes: 2 ¤¤¤
[WINDOW : Vista Security 2012] ddj.exe -- C:\Users\Owner\AppData\Local\ddj.exe -> KILLED [TermProc]
[WINDOW : Vista Security 2012] ddj.exe -- C:\Users\Owner\AppData\Local\ddj.exe -> KILLED [TermProc]

Would presume these would appear under the Processes tab.


//////////////////////////////////////////////////////////////////////////////////////////////////////

Have the following report:

RogueKiller V7.0.0 [01/26/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: abc [Admin rights]
Mode: Scan -- Date : 01/27/2012 22:47:59

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[FILEASSO] HKCU\Software\Classes\.exe\shell\open\command : ("C:\Users\abc\AppData\Local\etc.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKUS\S-1-5-21-4240963322-405707203-1627527460-1003\Software\Classes\.exe\shell\open\command : ("C:\Users\abc\AppData\Local\etc.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\.exe\shell\open\command : ("C:\Users\abc\AppData\Local\etc.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\.exe : (84) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 activate.adobe.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 490dc69e34d898f53e7cc8293b2a11c3
[BSP] e7ed3c0a0631b429a3edfcd7330e50c2 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 2048 | Size: 16106 Mo

1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 31459328 | Size: 104 Mo

2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 31664128 | Size: 241539 Mo

3 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 503420928 | Size: 242355 Mo

User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt


Question 3:
In the above report, since there is an infection identified [¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤] would the correct action be to check the entries that follow,
and then use [Mode: Suppression][Delete]:

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


Question #4:
Do the [FILEASSO] Registry entries also appear under the Registry tab, under the Shortcuts tab, or in both tabs?



Merci pour votre aide!!

[Tigzy]

Hello

Quote

In the updated GUI version of RK, do I understand correctly that [Mode: Suppression] only Deletes Registry entries, and does not Replace, as shown in the example below?

This is as previously, it depends on the kind of key.
A RUN Key can be delete, and f.i. an association key can only be replaced by its legit value

Quote

Does [Mode: Suppression] still identify Bad Processes and Kills them?

No. Now, only the prescan kick the bad processes.
But there's a "residu" module, which performs a quick scan of process to see if some have been reactivated

Quote

Would presume these would appear under the Processes tab.

Exactly

Quote

In the above report, since there is an infection identified [¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤] would the correct action be to check the entries that follow,and then use [Mode: Suppression][Delete]:

Actually, in Rogue.AntiSpy-AH, "AH" means "Association Hijack"
The infection is so flagged due to the FILEASSO lines.

These 2 lines can even be unchecked in this case:

Quote

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Quote

Do the [FILEASSO] Registry entries also appear under the Registry tab, under the Shortcuts tab, or in both tabs?

All the lines that aren't PROXY / DNS are located in the registry tab, and can be checked / unchecked before fix

Shortcut tab is a button to fix files hidden / moved by rogues of type "Fake HDD" (System check f.i)

[Aaflac]

Thanks for the clarification, Tigzy.

So, in the full report above, all six entries will appear checked under the Registry tab.

The course of action is:

1. Uncheck these two entries:
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


2. Make sure the four [FILEASSO] Registry entries remain checked.

3. Press the [Delete] button.

Since association keys [FILEASSO] can only be replaced by their legit value, the [Delete] action will replace them.



So, it appears the mode of operation of the old RK and the new RK are basically the same, otherwise.


However, you have also added the Drivers tab, and some new functionality that was not there before.

[Tigzy]

First post edited: Added video

[Brandon Jones]

What is the purpose of the DRV box at the top of Rouge Killer? When Rouge Killer first starts, it is green. After the initial scan it turns green. Also is there anyway we could get English subtitles on the tutorial video?

Thanks Tigzy!

[Tigzy]

DRV = Driver
When the driver is loaded, it turns into green

I'll think about english subs. I just need time

[Brandon Jones]

Thanks.

[SleepyDude]

Hi Tigzy,

Thanks for the Tutorial and Tool.

[SleepyDude]

Hi Tigzy,

Is there any way to run the tool without checking for updates?

If the tool is executed on computer without the network connection active it gets stuck checking for updates.

Thanks.

[Tigzy]

I'll have a look on how fix this

[Tigzy]

Can you test with the latest? 8.2.0

[SleepyDude]

Tigzy, on 23 October 2012 - 06:48 AM, said:

Can you test with the latest? 8.2.0

Hi,

The new version works fine without the network.

Thanks.