A forum for reverse engineering, OS internals and malware analysis 

RogueKiller

Forum for announcements and questions about tools and software.

Re: RogueKiller

 #4918  by EP_X0FF
 Sun Feb 06, 2011 11:44 pm
With two last (IS 2011 and Windows Problems Detector), maybe renaming roguekiller to something like explorer.exe/iexplore.exe can help?

Re: RogueKiller

 #4919  by Jaxryley
 Mon Feb 07, 2011 12:34 am
Installed Windows Problems Detector and RogueKiller failed on first execution but succeeded on the second attempt with the rogue not showing up on reboot.

Malwarebytes is now able to run a quick scan to completion to clean up any dregs where a scan was terminated by the rogue when it was active.
RogueKiller V3.9.0 by Tigzy
contact at !http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: !http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Remove -- Time : 07/02/2011 08:20:15

Bad processes:
Killed c:\documents and settings\administrator\application data\cncyim.exe

Deregistred:
HKCU\...\Winlogon\ Shell : C:\Documents and Settings\Administrator\Application Data\cncyim.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe -> svchost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe -> svchost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe -> svchost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe -> svchost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe -> svchost.exe

HOSTS File:
127.0.0.1 localhost


Finished

Re: RogueKiller

 #4920  by Jaxryley
 Mon Feb 07, 2011 1:05 am
With Internet Security 2011, took a few executions of RogueKiller and hitting "Dismiss" on the rogues warning RogueKiller was able to run and nullify it.
RogueKiller V3.9.0 by Tigzy
contact at !http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: !http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Remove -- Time : 07/02/2011 08:59:54

Bad processes:

Deregistred:
HKLM\SYSTEM\ControlSet001\services\userinit -> \\.\globalroot\systemroot\system32\us?rinit.exe
HKLM\SYSTEM\ControlSet002\services\userinit -> \\.\globalroot\systemroot\system32\us?rinit.exe
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_USERINIT ->

HOSTS File:
127.0.0.1 localhost


Finished

Re: RogueKiller

 #4941  by Tigzy
 Mon Feb 07, 2011 5:13 pm
Hi everyone :!:
With two last (IS 2011 and Windows Problems Detector), maybe renaming roguekiller to something like explorer.exe/iexplore.exe can help?
Yes, It works with that tips, cause most of rogues keep system file execution at startup (for system stabiity). So most of system file name could work (explorer.exe, winlogon.exe, userninit.exe, ...)

But sometimes RogueKiller can be quicker than the rogue, it depends:
but succeeded on the second attempt with the rogue not showing up on reboot.
@Xylitol: We spend some time by emailing each other, but some informations could be useful for everyone here.... ;)
I don't think that rogues (in the largest sense) uses that kind of technology to hide themselves... Maybe a rootkit sometimes, but RogueKiller don't include anti-RK tools. Use gmer first (for instance on IS2011 there's a kill AV RK)

And from the user's point of vue, using a tool to hide process result in the same problem, cause you'll have to launch it without being killed.
(Or I missed something, such as a technology to bypass API hooks from killAV drivers)

If you have questions, let me know.
if you want, have a look the RogueKiller official website, at the bottom of the page there's some link to Facebook, Youtube, etc...
On my Youtube page, there's a lot of demonstration videos about RogueKiller and some well known rogues. :twisted:

Have a nice week

PS: Sorry for poor english, that's the problem with french language education...

Re: RogueKiller

 #4955  by Tigzy
 Tue Feb 08, 2011 8:44 pm
For the moment I can't try it, not having my VMs available (I'm currently living at the hotel for my job until tomorrow) :D
But i'll do a report maybe tomorrow night or this week-end...

Anyway, it's the same family as Antivirus 2010, here's a video: http://www.youtube.com/watch?v=QeruDIKV1-I
And the report (old version, but still works I guess...):
RogueKiller V3.7.0 by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzy44<at>hotmail<dot>fr
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) version 32 bits
Mode: Remove -- Time : 05/01/2011 08:01:57

Bad processes:
Killed svchost.exe

Deregistred:
HKLM\SYSTEM\ControlSet001\services\userinit -> \\.\globalroot\systemroot\system32\us?rinit.exe
HKLM\SYSTEM\ControlSet001\services\vbma3c79 ->
HKLM\SYSTEM\ControlSet001\services\kxtoykoc -> Base
HKLM\SYSTEM\ControlSet002\services\userinit -> \\.\globalroot\systemroot\system32\us?rinit.exe
HKLM\SYSTEM\ControlSet002\services\vbma3c79 ->
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KXTOYKOC ->
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_USERINIT ->
HKCR\CLSID\{4FA18276-912A-11D1-AD9B-00C04FD8FDFF}\InprocServer32: winSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll


Fichier HOSTS:
127.0.0.1 localhost
::1 localhost


Finished
All the secret is in the last line, where the wbem DLL is replaced by an infected DLL, which reactivate the vbma driver.


EDIT: Anyone got a sample of Windows problem detector?
 Return to “Tools/Software”