Adlice forum
Software feedback => RogueKiller => Topic started by: gamefan on December 01, 2015, 09:12:27 AM
-
Hello
when I run the new version of Rougekiller I get a windows pop up saying I need a digitally signed driver or something like that, the driver won't run
I'm using the x64 version of the portable Rougekiller
What is going on?
-
Hello, is it version 11?
Do you see a Truesight.sys file in C:/Windows/System32/Drivers ?
-
Yes it is in there and it is version 11
I found this in the event viewer:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 12/1/2015 2:20:14 AM
Event ID: 5038
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Gamefan-PC
Description:
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume3\Windows\System32\drivers\TrueSight.sys
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5038</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-12-01T08:20:14.550725900Z" />
<EventRecordID>120551</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="48" />
<Channel>Security</Channel>
<Computer>Gamefan-PC</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">\Device\HarddiskVolume3\Windows\System32\drivers\TrueSight.sys</Data>
</EventData>
</Event>
either the driver is corrput or not digitally signed
-
is there any way to get a fresh copy of the driver without releasing everything Rougkiller deleted?
-
Sorry for the extra post but I removed the sys file from the drivers folder, upon starting up rouge killer it created a new one but the light still won't turn green.
I don't know what the driver does but I'm afraid it might not detect something important when I do my routine scans then back stuff up to my hard drives
-
Hi gamefan, Tigzy,
Sorry to intrude, but I'd like gamefan to try something.
Please follow the following process :
Download Sigcheck (http://live.sysinternals.com/sigcheck.exe) and save it to your desktop.
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
%USERPROFILE%\Desktop\sigcheck.exe -a -h -i -accepteula %WINDIR%\system32\drivers\TrueSight.sys > %USERPROFILE%\Desktop\sigcheck.logA file named sigcheck.log will be created on your desktop. Please attach it with your next reply.
Regards.
-
Hey, also would you like to attach the driver in an archive?
I would like to make sure it's the correct file.
Thanks.
-
This is what you're supposed to have, version 2.0.1 of Truesight
Please verify you have digital signature tab like in my screenshot, with valid signature.
I suspect your antivirus to block it while it's installed.
Could you also retry with it switched off?
-
Tigzy and Curson
here's the sig log file and the driver file in an archive, and a screenshot if it helps
I did turn off Avast, same results, it doesn't even alert avast when its on.
Stupid question but: Unity web player has nothing to do with Rougekiller right?
Can Rougekiller detect nearly everything without the rootkit driver? All it found last time were just some reigstry keys lefft over after resetting IE, but not sure what the first one was
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\ASK -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1025616775-32965946-2427245248-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1025616775-32965946-2427245248-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found
-
I was able to get the error message to pop up again if you guys need it
yeah I think the system thinks it's unsigned or something
I have a question though, If I have Adwcleaner free, Avast free, Mbam free, Kaspersky TDSSKiller, Mcaffee antirootkit, Hitmanpro free, JRT, and Rougekiller free and I run the scans one at a time, do I need the driver for Rougkiller fixed if those keys were all it found without them and the others didn't find anything else?
-
Hi gamefan,
here's the sig log file and the driver file in an archive, and a screenshot if it helps
Thanks. We were able to confirm that the driver is not corrupt in any way.
Stupid question but: Unity web player has nothing to do with Rougekiller right?
Right.
Can Rougekiller detect nearly everything without the rootkit driver?
The driver is needed for the detection of advanced threats.
I have a question though, If I have Adwcleaner free, Avast free, Mbam free, Kaspersky TDSSKiller, Mcaffee antirootkit, Hitmanpro free, JRT, and Rougekiller free and I run the scans one at a time, do I need the driver for Rougkiller fixed if those keys were all it found without them and the others didn't find anything else?
I think it's better to troubleshoot it.
Could you please do a full scan with RogueKiller (even with the driver unloaded) and attach the JSON report in your next reply ?
Regards.
-
Ok I right clicked the program, selected "run as adminstrator and ran a scan and exported as json,
it didn't detect those registry keys above since It got rid of them the first time
anything else? Should I try a quick defragmentation of my hard drive??
-
Just tried a quick defrag it didnt work
-
Hi gamefan,
Let's try something different :
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
certutil -store root > %USERPROFILE%\Desktop\CARootList.log && chkdsk C: /V > %USERPROFILE%\Desktop\FSCheck.logTwo files named sigcheck.log and FSCheck.log will be created on your desktop. Please attach them with your next reply.
Regards.
-
I'm so sorry I'm late, I was busy today
anywho here's what you asked for
-
Hi gamefan,
Don't worry about that.
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
chkdsk C: /f /v /x
Please allow chkdsk to run on next reboot and restart the computer to perform the analysis.
Is the driver able to load ?
Regards.
-
I've tested the file you sent (which doesn't seem corrupt), and verify says the signature is correct, and is valid for kernel.
Plus the Microsoft Cross certificate is present... The file is not the problem here.
-
Gamefan, could you look into C:\Windows\INF
if you see files like setupapi.<something>.log ?
Could you attach them all?
Thanks.
-
Gamefan, could you look into C:\Windows\INF
if you see files like setupapi.<something>.log ?
Could you attach them all?
Thanks.
are these what you wanted?
also chdsk didn't work
i'm running windows 7 ultimate no service pack if that helps any
-
do you see any setupapi.dev.log?
-
Hi gamefan,
One last try :
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
wusa /uninstall /kb:2949927 /quiet /promptrestart
Don't close the command prompt before the operation is finished !
Reboot the system and then, please check Windows Update for updates.
If any, install them and reboot the computer before testing RogueKiller again.
Regards.
-
do you see any setupapi.dev.log?
sadly no, searched the whole laptop
Hi gamefan,
One last try :
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
wusa /uninstall /kb:2949927 /quiet /promptrestart
Don't close the command prompt before the operation is finished !
Reboot the system and then, please check Windows Update for updates.
If any, install them and reboot the computer before testing RogueKiller again.
Regards.
I tried that, I don't have that update installed on my pc, is service pack 1 needed to do that? my pc won't let me install SP1 for some wierd reason, probably the fact that I had to change the HD a while back and I needed Intel Rapid Storage Technology to even get windows update to work again , and some updates I read have some severe privacy issues/botnet implications.
I'm sorry about these faillings. Should I just let you know if the driver starts working again in a future update? I really am sorry.
-
Hi gamefan,
I tried that, I don't have that update installed on my pc, is service pack 1 needed to do that? my pc won't let me install SP1 for some wierd reason, probably the fact that I had to change the HD a while back and I needed Intel Rapid Storage Technology to even get windows update to work again , and some updates I read have some severe privacy issues/botnet implications.
Not, it's not. This KB is known to cause issue when processing SHA-2 hashed certificates. Since it's not installed on your system, it's not the culprit.
I'm sorry about these faillings. Should I just let you know if the driver starts working again in a future update? I really am sorry.
Please don't be sorry about that. We are really greateful to you helping us troubleshooting this issue. :)
Tigzy and I will continue to investigate and will get back to you as soon as possible.
Regards.
-
Sorry for necroing this thread but
In the newest version of Roguekiller, the driver is working again! :)
-
Hi gamefan,
I'm glad to hear it. :)
We reverted back to SHA-1 hashing since we discovered SHA-2 algorithm is only partially supported on Windows 7 : Signing Kernel-mode Drivers with SHA-2/SHA-256 (http://lordjeb.com/2013/12/16/signing-kernel-mode-drivers-with-sha-2sha-256/)
Thanks again for your continuous feebacks on the issue, it really helped us troubleshooting it.
Regards.
-
Hi gamefan,
I'm glad to hear it. :)
We reverted back to SHA-1 hashing since we discovered SHA-2 algorithm is only partially supported on Windows 7 : Signing Kernel-mode Drivers with SHA-2/SHA-256 (http://lordjeb.com/2013/12/16/signing-kernel-mode-drivers-with-sha-2sha-256/)
Thanks again for your continuous feebacks on the issue, it really helped us troubleshooting it.
Regards.
Ah, not very knowledgable on SHA stuff and this is probably a stupid question but does the algorithm affect Rougekiller's ability to detect?
Again, sorry for necroing the thread. Thank you.
-
Hi gamefan,
No, it doesn't change anything. ;)
Regards.