A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #4960  by Jaxryley
 Tue Feb 08, 2011 10:08 pm
Xylitol wrote:@Jaxryley, Yeah sure but the rogue stop roguekiller anyway so he can block it really, if the author have not done a feature for 'allow'.
You can disarm this rogue family manually by going into Device Manager - System devices and Disabling "[cmz vmkd] Virtual Bus".

Once that is disabled a scan with Malwarebytes will run to completion.

If Malwarebytes had already tried to be run with the driver active and won't run again then you need to go into Malwarebytes Programs Folder and reset permissions on mbam.exe.

But it's way easier to run RogueKiller first then run a scan with Malwarebytes.
Sys.JPG
Sys.JPG (19.7 KiB) Viewed 293 times
 #4996  by Tigzy
 Thu Feb 10, 2011 2:34 pm
Hello again ;)

Sorry, it's my fault, Windows Problems Detector and not Protector...
Thx for the samples, I'll try this evening.

@Jaxryley, Yeah sure but the rogue stop roguekiller anyway so he can block it really, if the author have not done a feature for 'allow'.
Yeah, for sure cause there's a killAV driver in most case. The driver intercepts calls to new processes ans blocks them. I guess that even HideToolz is blocked, isn't it?
Maybe a driver can pass through, but a single process will be locked regardless to its content. Only certain process will be allowed, and my opinion is that theses process are thoses which were existing at the startup of the rogue (a white list is established at the beginning)

The idea is to take one of the white list names.