Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Curson

Pages: [1] 2 3 ... 160
1
UCheck / Re: Calibre Download Size Incorrect
« on: Today at 06:57:30 pm »
Hi Phil,

Thanks for the feedback again.
I'm glad this bug is now resolved.

Have a nice week.
Regards.

2
UCheck / Re: Calibre Download Size Incorrect
« on: January 10, 2020, 07:28:55 pm »
Hi Phil,

Thanks.

Have a nice weekend, too.
Regards.

3
UCheck / Re: Calibre Download Size Incorrect
« on: January 09, 2020, 10:02:27 pm »
Hi Phil,

You are very welcome.
UCheck V3.5.1 was released today and the bug should now be fixed. Could you please give it a try ?

Have a nice day, too.
Regards.

4
Malware removal help / Re: Tr.Gen
« on: January 09, 2020, 09:53:59 pm »
Hi Christophe,

Welcome to Adlice.com forum.
Could you please download and install RogueKiller latest version (V14.0.4.0 at this time), do a scan and delete the folder, then attach the removal report with your next reply ?

Regards.

5
UCheck / Re: Calibre Download Size Incorrect
« on: January 08, 2020, 04:25:37 pm »
Hi Phil,

Thanks again for your help.
This one is clearly a bug on our side. We will fix it as soon as possible.

Have a nice day.
Regards.

6
UCheck / Re: Calibre Download Size Incorrect
« on: January 07, 2020, 12:28:56 pm »
Hi Phil,

You are very welcome.
I just asked Tigzy and he said he wants the sizes to be consistent with the ones displayed in the Add/Remove Programs control panel, so it's very unlikely they will be removed.

Have a nice day, too.
Regards.

7
UCheck / Re: Calibre Download Size Incorrect
« on: January 06, 2020, 06:24:40 pm »
Hi Phil,

We identified the issue and a fix is not currently possible.
At the time being, the size matches the one displayed by the Add/Remove Programs control panel. However, when a software installer is not writing itself its size (using the EstimatedSize Registry value), Windows has to "guess" it and it's not quite efficient; see How does Add/Remove Programs get the size and other information?.

So, if Windows guessed the size wrong, UCheck size will also be off.

Another approach, would be to probe each download links and check the returned Content-Length HTTP entity header to get the size of the installer itself. Unfortunately, some servers don't return this header, so it's not an efficient solution.

We will probably change the way UCheck retrieves the sizes in the future but it will require extensive refactoring, so it will take time.

Have a nice day.
Regards.

8
RogueKiller / Re: What can sefely be fixed?
« on: January 06, 2020, 05:40:42 pm »
Hi Nina,

I just saw that MBAR was able to detect and delete the rootkit successfully. Could you please ask the user to upload this file from MBAR quarantine ?
Quote
c:\windows\system32\msdd0c5c30app.dll (Trojan.Crypt) -> Delete on reboot. [d5ced26c0fc7e6503f612d3009f8b64a]

It will be very interesting for us to analyse it so we can improve RogueKiller detection efficiency of this particular malware.

Regards.

9
UCheck / Re: Calibre Download Size Incorrect
« on: January 05, 2020, 11:45:24 am »
Hi Phil,

Thanks for your feedback.
It seems the issue is also affecting other software. We will investigate it as soon as possible.

Have a nice week.
Regards.

10
RogueKiller / Re: RogueKiller will not install.
« on: January 05, 2020, 11:43:39 am »
Hi Mugsy,

Do you get a prompt to upload a crash dump when attempting to start RogueKiller ?
The 32-bit version of the software won't work on a 64-bit system, by the way.

EDIT :
RogueKiller V14.0.4 has been released. Please download it HERE.
If nothing happens when you start it, please follow the following process :

Download ProcDump (x64) on your desktop.
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
"%USERPROFILE%\Desktop\procdump64.exe" -e -h -ma -accepteula -w RogueKiller64.exe "%USERPROFILE%\Desktop\RogueKiller.dmp"Do not close the command prompt !

Please then launch RogueKiller64.exe.
A new file named RogueKiller.dmp should has been created on your desktop. Please zip it, upload it on Google Drive/Dropbox and share the link here.

Regards.

11
RogueKiller / Re: What can sefely be fixed?
« on: January 01, 2020, 06:26:58 am »
Hi Nina,

You are very welcome.
MBAR may work. At least, RogueKiller driver wasn't unable to load. With a little chance, it will be the same with MBAR driver.

Regards.

12
RogueKiller / Re: RogueKiller will not install.
« on: December 30, 2019, 09:44:36 pm »
Hi Mugsy,

Welcome to Adlice.com Forum.
Could you please check if this version of RogueKiller is able to run ?

Regards.

13
RogueKiller / Re: ===> False Positives <===
« on: December 30, 2019, 09:42:21 pm »
Hi Mops21,

No fix for this specific detection was released, yet.
The two files you submitted trigger MalPE the same way the installer do. The new model should also get rid of these false positives as well.

Regards.

14
RogueKiller / Re: What can sefely be fixed?
« on: December 30, 2019, 09:37:53 pm »
Hi Nina,

The interesting part is here :
Code: [Select]
{
"scan_what": 0,
"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
"vendors": ["Hidden.From.Registry"],
"name": "Msfs",
"name_process": "",
"target": "",
"pid": 0,
"path_process": "",
"path": "",
"file_md5": "",
"file_sha256": "",
"file_exists": false,
"file_signed": false,
"file_signer": "",
"file_vtscore": -1,
"file_vttotal": 0,
"is_malicious": true,
"detection_level": 2,
"status_str": "Found",
"status_choice": 2,
"status_kill": 0,
"malpe_score": -1.0,
"id": 6
},
{
"scan_what": 0,
"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
"vendors": ["Hidden.From.Registry"],
"name": "mshidkmdf",
"name_process": "",
"target": "C:\\Windows\\System32\\drivers\\mshidkmdf.sys",
"pid": 0,
"path_process": "",
"path": "\\SystemRoot\\System32\\drivers\\mshidkmdf.sys",
"file_md5": "22813FD068277CC4994CB3FB5547AA23",
"file_sha256": "AA5FCFEE8161EA12ED65FAB5A662EE3BFF5B7D725DEFF081FCB45C534FAC976A",
"file_exists": true,
"file_signed": false,
"file_signer": "",
"file_vtscore": -1,
"file_vttotal": 0,
"is_malicious": true,
"detection_level": 2,
"status_str": "Found",
"status_choice": 2,
"status_kill": 0,
"malpe_score": -1.0,
"id": 7
},
{
"scan_what": 0,
"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
"vendors": ["Hidden.From.Registry"],
"name": "mshidumdf",
"name_process": "",
"target": "C:\\Windows\\System32\\drivers\\mshidumdf.sys",
"pid": 0,
"path_process": "",
"path": "\\SystemRoot\\System32\\drivers\\mshidumdf.sys",
"file_md5": "ED11DC4C201FF6C06F171E18B379B589",
"file_sha256": "37E1901ECF54A22D016B844B68847B3894EDCA7854D713C46951BD41684735BB",
"file_exists": true,
"file_signed": false,
"file_signer": "",
"file_vtscore": -1,
"file_vttotal": 0,
"is_malicious": true,
"detection_level": 2,
"status_str": "Found",
"status_choice": 2,
"status_kill": 0,
"malpe_score": -1.0,
"id": 8
},
{
"scan_what": 0,
"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
"vendors": ["Hidden.From.Registry"],
"name": "MSKSSRV",
"name_process": "",
"target": "C:\\Windows\\System32\\drivers\\mskssrv.sys",
"pid": 0,
"path_process": "",
"path": "\\SystemRoot\\System32\\drivers\\MSKSSRV.sys",
"file_md5": "E3B4680BAB18D0898E80C6E4FE05BF55",
"file_sha256": "2F215EB0122A796674123241D7F34849B4A77E9376A373968D5ADAFAB4D428B2",
"file_exists": true,
"file_signed": false,
"file_signer": "",
"file_vtscore": -1,
"file_vttotal": 0,
"is_malicious": true,
"detection_level": 2,
"status_str": "Found",
"status_choice": 2,
"status_kill": 0,
"malpe_score": -1.0,
"id": 9
},
{
"scan_what": 0,
"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
"vendors": ["Hidden.From.Registry"],
"name": "msiserver",
"name_process": "",
"target": "C:\\Windows\\System32\\msiexec.exe",
"pid": 0,
"path_process": "",
"path": "C:\\WINDOWS\\system32\\msiexec.exe /V",
"file_md5": "2D9F692E71D9985F1C6237F063F6FE76",
"file_sha256": "199B3890D28A1F5906F4014E73615A268B3C4414F1F71697BF13E0D464258D54",
"file_exists": true,
"file_signed": false,
"file_signer": "",
"file_vtscore": -1,
"file_vttotal": 0,
"is_malicious": true,
"detection_level": 2,
"status_str": "Found",
"status_choice": 2,
"status_kill": 0,
"malpe_score": -1.0,
"id": 10
}

According to the hashes reported by RogueKiller and after submitting them to VirusTotal, these files are legit.
It may be a bug with RogueKiller or, like I said earlier, the rootkit is messing with the files enumeration functions. In any case, it could be interesting to see if those detections are still present after the rootkit removal.

I will follow at thread at whatthetech with great interest.

Regards.

15
RogueKiller / Re: What can sefely be fixed?
« on: December 29, 2019, 01:38:01 am »
Hi Satchfan,

Yes, this is the JSON report, but incomplete as well.

Regards.

Pages: [1] 2 3 ... 160