Adlice forum

Software feedback => RogueKiller => Topic started by: rk_doubt on March 26, 2015, 11:41:16 AM

Title: Pre-scan block & maybe false positive
Post by: rk_doubt on March 26, 2015, 11:41:16 AM
hi fellows thanks in advance for your advanced program.
I would like to give my feedback on, so started on 2 different S.O.

On W7 work flawlessly despite found some false positive red threats associated with a detect program (for updating) of producer brand of pc

On XP Sp3:

1) very hard just to start it. I've tried with portable and installer version but either stuck on pre-scan and you can't help but reset S.O. cause everything is blocked (task manager, keyboard and mouse arrow)
So re-launch it in safe mode and finally it works.


2) At the end of scan i've found this log
Code: [Select]
RogueKiller V10.5.7.0 [Mar 22 2015] di Adlice Software
posta : http://www.adlice.com/contact/
Commenti : http://forum.adlice.com
Sito Web : http://www.adlice.com/softwares/roguekiller/
Discussione : http://www.adlice.com

Sistema Operativo : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Iniziato in : Modalità Sicura
Utente : utente [Amministratore]
Iniziato da : C:\Documents and Settings\utente\Documenti\Downloads\RogueKiller.exe
Modalità : Scansione -- Data : 03/25/2015  23:08:47

¤¤¤ Processi : 0 ¤¤¤

¤¤¤ Registro : 5 ¤¤¤
[PUM.Desktop] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Trovato
[PUM.StartMenu] HKEY_USERS\S-1-5-21-484763869-602162358-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> Trovato
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_W_4B42\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trovato
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_W_4B42\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Trovato
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trovato

¤¤¤ Attività : 0 ¤¤¤

¤¤¤ Archivi : 1 ¤¤¤
[File.Forged][Archivio] CDUDF.SYS -- C:\WINDOWS\system32\drivers\CDUDF.SYS -> Trovato

¤¤¤ Archivio Hosts : 1 ¤¤¤
[C:\WINDOWS\system32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Non caricato [0x2]) ¤¤¤

¤¤¤ Web Browser : 0 ¤¤¤

¤¤¤ Controllo MBR : ¤¤¤
+++++ PhysicalDrive0: Maxtor 6Y080L0 +++++
--- User ---
[MBR] 6e95574ecc03410bedb2dfebc9fb683a
[BSP] 2463887d4bc98492808f76efcdfccc69 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 51199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 104856255 | Size: 26960 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! NOT VALID!

+++++ PhysicalDrive1: MAXTOR 6L020J1 +++++
--- User ---
[MBR] ad5c0416b8b175b3dbd8f285eb57d39c
[BSP] f261d79ad119592be851ba6b5bd2211b : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 19594 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! NOT VALID!


It seems that CDUDF.SYS was the problem (also MBAR reported it as forged and deleted) but at every boot it reappears.
i've analyzed it with lot of programs also on virustotal, you can watch https://www.virustotal.com/it/file/0ef441ac9d748ad2d5b916ae6a79c5faa6fc6b7513144f1c6578635d633cfc87/analysis/1427364566/ (https://www.virustotal.com/it/file/0ef441ac9d748ad2d5b916ae6a79c5faa6fc6b7513144f1c6578635d633cfc87/analysis/1427364566/) here but everything seems good.

Can you tell me how can resolve the block in normal mode launch and if you can guarantee there's not any problem on that log?
Title: Re: Pre-scan block & maybe false positive
Post by: Curson on March 26, 2015, 02:44:01 PM
Hi rk_doubt,

Welcome to Adlice.com Forum.

Quote from: rk_doubt
On W7 work flawlessly despite found some false positive red threats associated with a detect program (for updating) of producer brand of pc
Could you please post the report you obtained ? We strive to fix as many false postives as possible.

Quote from: rk_doubt
I've tried with portable and installer version but either stuck on pre-scan and you can't help but reset S.O. cause everything is blocked (task manager, keyboard and mouse arrow)
Could you please relaunch RogueKiller in normal mode using option -nokill ?
If you need help with the programm, please refer to RogueKiller Official tutorial (http://www.adlice.com/softwares/roguekiller/roguekiller-official-tutorial/).

Quote
[File.Forged][Archivio] CDUDF.SYS -- C:\WINDOWS\system32\drivers\CDUDF.SYS -> Trovato
This driver is certainly legit. However, we are going to double-check.
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.
Additionally, zip the following directory :
Quote
C:\TDSSKiller
Host it anywhere you want (Google Drive, Dropbox, ...) but make sure it's public.
Put the link here.

Regards.
Title: Re: Pre-scan block & maybe false positive
Post by: rk_doubt on March 27, 2015, 11:00:29 AM
Quote from: Curson on March 26, 2015, 02:44:01 PM
Hi rk_doubt,

Welcome to Adlice.com Forum.

Thank you Curson, really enjoy your kindness.
 
Quote from: Curson on March 26, 2015, 02:44:01 PM
Quote from: rk_doubt
On W7 work flawlessly despite found some false positive red threats associated with a

detect program (for updating) of producer brand of pc
Could you please post the report you obtained ? We strive to fix as many false postives as possible.

I'm sorry, but now can't physically access to it (a friend laptop) but i rember it was sure about Dell, something like Dell Detect.

Quote from: Curson on March 26, 2015, 02:44:01 PM

Quote from: rk_doubt
I've tried with portable and installer version but either stuck on pre-scan and you can't

help but reset S.O. cause everything is blocked (task manager, keyboard and mouse arrow)
Could you please relaunch RogueKiller in normal mode using option -nokill ?
If you need help with the programm, please refer to

RogueKiller Official

tutorial (http://www.adlice.com/softwares/roguekiller/roguekiller-official-tutorial/).

I'd like to try but in the RogueKiller can't find this option just because after 2-3 second it stuck and i must reboot.

Quote from: Curson on March 26, 2015, 02:44:01 PM


Quote
[File.Forged][Archivio] CDUDF.SYS -- C:\WINDOWS\system32\drivers\CDUDF.SYS -> Trovato
This driver is certainly legit. However, we are going to double-check.

Quote from: Curson on March 26, 2015, 02:44:01 PM
Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.
Additionally, zip the following directory :
Quote
C:\TDSSKiller

That's it https://www.sendspace.com/file/7t37nb (https://www.sendspace.com/file/7t37nb)

but i can't find the TDSSKiller folder in C:\

Thank you for your support!
Title: Re: Pre-scan block & maybe false positive
Post by: Curson on March 31, 2015, 09:14:46 PM
Hi rk_doubt,

Yu are very welcome. :)
Quote from: rk_doubt
I'm sorry, but now can't physically access to it (a friend laptop) but i rember it was sure about Dell, something like Dell Detect.
That's no big deal. I should be able to figure it out by myself.

Quote from: rk_doubt
I'd like to try but in the RogueKiller can't find this option just because after 2-3 second it stuck and i must reboot.
- Please download RogueKiller latest version and save it to your desktop.
- Press the "Windows Key" + R and enter the following command :
Code: [Select]
"%HOMEDRIVE%\%HOMEPATH%\Desktop\RogueKiller.exe" -nokillRogueKiller sould run just fine.

Quote from: rk_doubt
That's it https://www.sendspace.com/file/7t37nb

but i can't find the TDSSKiller folder in C:\
TDSSKiller didn't detect the file CDUDF.SYS, so it's OK.

Regards.
Title: Re: Pre-scan block & maybe false positive
Post by: rk__doubt on April 14, 2015, 07:54:55 PM
Quote from: Curson on March 31, 2015, 09:14:46 PM

- Please download RogueKiller latest version and save it to your desktop.
- Press the "Windows Key" + R and enter the following command :
Code: [Select]
"%HOMEDRIVE%\%HOMEPATH%\Desktop\RogueKiller.exe" -nokillRogueKiller sould run just fine.

Title: Re: Pre-scan block & maybe false positive
Post by: Curson on April 15, 2015, 12:00:49 PM
Hi rk__doubt,

Are you the same person owning the account named rk_doubt ?
Do you still need help ?

Regards.
Title: Re: Pre-scan block & maybe false positive
Post by: rk__doubt on April 21, 2015, 04:41:27 PM
hi curson, yeah i'm still here (sorry but i've lost my previous pass).  I really can't imagine why my answer in the previous post was badly formatted after the quote but anyway i still thank you for your kind support.
I wrote that i tried to launch last version of RogueKiller (both portable and setup) but also with nokill options i have to reset pc because it always stucks. So i think there's some hard incompatibility with my XP
Title: Re: Pre-scan block & maybe false positive
Post by: Curson on April 21, 2015, 10:46:59 PM
Hi rk_doubt,

You are welcome.
Did your try using the following form to recover your account ? Authentication Reminder (http://forum.adlice.com/index.php?action=reminder)

Which version of RogueKiller did you use in this last scan ?

Regards.
Title: Re: Pre-scan block & maybe false positive
Post by: rk__doubt on April 21, 2015, 10:52:03 PM
The last version i used was 10.5.10 and it blocked cpu (with no-kill feature) like 10.5.7 

Regards
Title: Re: Pre-scan block & maybe false positive
Post by: Curson on April 21, 2015, 11:14:14 PM
Hi rk_doubt,

RogueKiller version 10.6.0 is out.
Could you please give it a try ?

Regards.
Title: Re: Pre-scan block & maybe false positive
Post by: rk__doubt on April 27, 2015, 12:37:41 PM
Hi Curson, I've tried v10.6 (also the old-Gui this time) with no kill option, and same bad outcome.
Title: Re: Pre-scan block & maybe false positive
Post by: Curson on April 27, 2015, 08:17:41 PM
Hi rk_doubt,

Let's try another thing :
1) Download RogueKiller (x86) (http://www.adlice.com/fr//?smd_process_download=1&download_id=2180) and save it on your desktop.
2) Download ProcDump (https://download.sysinternals.com/files/Procdump.zip) and extract procdump.exe on your desktop.
3) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Quote
"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x %USERPROFILE%\Desktop "%USERPROFILE%\Desktop\RogueKiller.exe" -nokill
Do not close the command prompt !

4) RogueKiller will be launched and, when the system hang, wait for a few minutes before resetting it.
5) A new file named RogueKiller.exe_<datetime>.dmp should has been created on your desktop. Please zip it, upload it on Google Drive/Dropbox and share the link here.

Regards.
Title: Re: Pre-scan block & maybe false positive
Post by: rk__doubt on April 28, 2015, 11:40:14 AM
Hi Curson, thanks for your support.

I've done what you ask me with some problems:

1) after the first code row in the command prompt appears an error "can't find...".
That error seem to disappear if i cut the green text
"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x %USERPROFILE%\Desktop
2) the second row code starts roguekiller (1.6.1) and hangs (as usually ;)) but after resetting (10 minutes waited) i don't find any file .dmp on desktop.
I've made a search in all the pc but nothing was found.

I'll wait for your advise, but if you think it's time to give up, don't feel sorry to tell me. I'm very grateful for your kind help.
Title: Re: Pre-scan block & maybe false positive
Post by: Curson on April 29, 2015, 12:35:28 AM
Hi rk_doubt,

The code stands on one line and must be pasted as such. Here it is using the "code" formating :
Code: [Select]
"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x %USERPROFILE%\Desktop "%USERPROFILE%\Desktop\RogueKiller.exe" -nokill
Could you please retry, please ?

Regards.
Title: Re: Pre-scan block & maybe false positive
Post by: rk__doubt on May 06, 2015, 08:55:43 AM
Quote from: Curson on April 29, 2015, 12:35:28 AM

Code: [Select]
"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x %USERPROFILE%\Desktop "%USERPROFILE%\Desktop\RogueKiller.exe" -nokill


Thank you Curson, sorry but i have to repeat that what happen after code is nothing as you can see. Only if cut the central piece of code (%USERPROFILE%\Desktop) the things start but don't get me the .dmp file :(

Title: Re: Pre-scan block & maybe false positive
Post by: Curson on May 06, 2015, 09:00:21 PM
Hi rk__doubt,

Could you please retry with the following command ?
Code: [Select]
"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x "%USERPROFILE%\Desktop" "%USERPROFILE%\Desktop\RogueKiller.exe" -nokill
Regards.
Title: Re: Pre-scan block & maybe false positive
Post by: rk__doubt on May 06, 2015, 10:53:21 PM
Hi Curson, thanks for the help. The last code you gave me works now and the procdump+roguekiller begin scan: the problem is that, after block and rebooting on desktop i don't find anything. I made also a search through hard-disk but can't find anything "roguekiller.exe<date>.dmp".

Regards   
Title: Re: Pre-scan block & maybe false positive
Post by: Curson on May 07, 2015, 08:57:39 AM
Hi rk__doubt,

That's troublesome.
Could you please tell me what was written on the command line interface when the computer froze ?

Regards.