Messages

1

RogueKiller / Best Buy False Positive?

« on: December 27, 2016, 08:36:24 AM »

Hello,

I'd like to report a potential false positive,

[PUP.BestBuy] (X64) HKEY_LOCAL_MACHINE\Software\Best Buy -> Found
.
Rougekiller only Found this Registry entry, it didn't find anything else

Best Buy is the place I bought my PC at, I even got a backup disc there which I had to use a few years ago.

Just checked my programs list and addons, nothing new has been installed since 18th (a ccleaner update) my last scan a week ago, on the 19th  (which didn't find anything)

I ran a Malwarebytes scan on the 20th and it didn't find anything, I also ran ADWcleaner and JRT today ,  they didn't find anything

Think it's just a false positive? Am I good?

2

RogueKiller / Re: ===> False Positives <===

« on: September 05, 2016, 12:51:21 PM »

Update:

both detections have diasappeared after running a scan in safe mode after updating RK. Has it alreadybeen whitelisted?

If they still doont show up after running itnagain in normal mode, doesnthat mean im fine?

also they didnt show up on the adwcleaner, JRT, Kaspersky anti root kit, mcaffe anti rootkit, malwarebytes, or hotman scans. none of them found anything malicious

3

RogueKiller / Re: ===> False Positives <===

« on: September 05, 2016, 08:36:43 AM »

Hello

I am here to report false positives.

A scan of rougekiller found 2 potential files

[PUP.Gen][File] C:\Users\Gamefan\AppData\Local\RemoveTresoritTemp.exe -> Found
[PUP.Gen][File] C:\Users\Gamefan\AppData\Local\UninstallTresoritCompletely.exe -> Found

these are leftover uninstall exe's from Tresorit, which is a legit alternative to Dropbox, they've never been detected before on any of my scans.

I uploaded both to virus total

https://www.virustotal.com/en/file/619f1109e826eb98fee8573ee325033d6f6afa37fd94b49817826613cb79dda4/analysis/1473056903/
https://www.virustotal.com/en/file/8c85f3cc07e342cfd7e38870e3af676981c6b0f80d039969a68f7f41c002b369/analysis/1473056917/

what should I do? Are these both legit files? I believe DrWeb ended up labeling the second file as safe a few minutes after I uploaded it.

4

RogueKiller / Re: Driver not working?

« on: January 21, 2016, 05:13:59 AM »

Hi gamefan,

I'm glad to hear it.

We reverted back to SHA-1 hashing since we discovered SHA-2 algorithm is only partially supported on Windows 7 : Signing Kernel-mode Drivers with SHA-2/SHA-256
Thanks again for your continuous feebacks on the issue, it really helped us troubleshooting it.

Regards.

Ah, not very knowledgable on SHA stuff and this is probably a stupid question but does the algorithm affect Rougekiller's ability to detect?

Again, sorry for necroing the thread. Thank you.

5

RogueKiller / Re: Driver not working?

« on: January 20, 2016, 10:40:09 PM »

Sorry for necroing this thread but

In the newest version of Roguekiller, the driver is working again!

6

RogueKiller / Re: Driver not working?

« on: December 05, 2015, 02:27:28 AM »

do you see any setupapi.dev.log?

sadly no, searched the whole laptop

Hi gamefan,

One last try :
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :

Code: [Select]

wusa /uninstall /kb:2949927 /quiet /promptrestart
Don't close the command prompt before the operation is finished !

Reboot the system and then, please check Windows Update for updates.
If any, install them and reboot the computer before testing RogueKiller again.

Regards.

I tried that, I don't have that update installed on my pc, is service pack 1 needed to do that? my pc won't let me install SP1 for some wierd reason, probably the fact that I had to change the HD a while back and I needed Intel Rapid Storage Technology to even get windows update to work again , and some updates I read have some severe privacy issues/botnet implications.

I'm sorry about these faillings. Should I just let you know if the driver starts working again in a future update? I really am sorry.

7

RogueKiller / Re: Driver not working?

« on: December 03, 2015, 10:27:59 PM »

Gamefan, could you look into C:\Windows\INF
if you see files like setupapi.<something>.log ?
Could you attach them all?

Thanks.

are these what you wanted?

also chdsk didn't work

i'm running windows 7 ultimate no service pack if that helps any

8

RogueKiller / Re: Driver not working?

« on: December 03, 2015, 12:47:07 PM »

I'm so sorry I'm late, I was busy today

anywho here's what you asked for

9

RogueKiller / Re: Driver not working?

« on: December 02, 2015, 01:11:44 PM »

Just tried a quick defrag it didnt work

10

RogueKiller / Re: Driver not working?

« on: December 02, 2015, 12:08:12 AM »

Ok I right clicked the program, selected "run as adminstrator and ran a scan and exported as json,

it didn't detect those registry keys above since It got rid of them the first time

anything else? Should I try a quick defragmentation of my hard drive??

11

RogueKiller / Re: Driver not working?

« on: December 01, 2015, 10:16:23 PM »

I was able to get the error message to pop up again if you guys need it

yeah I think the system thinks it's unsigned or something

I have a question though, If I have Adwcleaner free, Avast free, Mbam free, Kaspersky TDSSKiller, Mcaffee antirootkit, Hitmanpro free, JRT, and Rougekiller free and I run the scans one at a time, do I need the driver for Rougkiller fixed if those keys were all it found without them and the others didn't find anything else?

12

RogueKiller / Re: Driver not working?

« on: December 01, 2015, 05:31:40 PM »

Tigzy and Curson

here's the sig log file and the driver file in an archive, and a screenshot if it helps

I did turn off Avast, same results, it doesn't even alert avast when its on.

Stupid question but: Unity web player has nothing to do with Rougekiller right?

Can Rougekiller detect nearly everything without the rootkit driver? All it found last time were just some reigstry keys lefft over after resetting IE, but not sure what the first one was

[PUP] (X64) HKEY_LOCAL_MACHINE\Software\ASK -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1025616775-32965946-2427245248-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1025616775-32965946-2427245248-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

13

RogueKiller / Re: Driver not working?

« on: December 01, 2015, 01:00:40 PM »

Sorry for the extra post but I removed the sys file from the drivers folder, upon starting up rouge killer it created a new one but the light still won't turn green.

I don't know what the driver does but I'm afraid it might not detect something important when I do my routine scans then back stuff up to my hard drives

14

RogueKiller / Re: Driver not working?

« on: December 01, 2015, 12:41:41 PM »

is there any way to get a fresh copy of the driver without releasing everything Rougkiller deleted?

15

RogueKiller / Re: Driver not working?

« on: December 01, 2015, 12:39:19 PM »

Yes it is in there and it is version 11

I found this in the event viewer:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/1/2015 2:20:14 AM
Event ID:      5038
Task Category: System Integrity
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:     Gamefan-PC
Description:
Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:   \Device\HarddiskVolume3\Windows\System32\drivers\TrueSight.sys   
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>5038</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12290</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-01T08:20:14.550725900Z" />
    <EventRecordID>120551</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="48" />
    <Channel>Security</Channel>
    <Computer>Gamefan-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">\Device\HarddiskVolume3\Windows\System32\drivers\TrueSight.sys</Data>
  </EventData>
</Event>

either the driver is corrput or not digitally signed