Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Tigzy

Pages: 1 [2] 3
16
Hello,
If you encounter this issue, please download and run this:
http://download.adlice.com/RogueKiller/Test/testsigs.exe

On a normal PC, it looks like the attached.
Please attach a screenshot like I did, that will help (hopefully) to resolve the issue.

17
News/Updates / RogueKiller FP Database restarting from scratch
« on: February 18, 2015, 04:40:32 pm »
Hello

As of 10.4.0,
we are dropping old badly defined FP detections, and you should see a massive increase of false detections

Please report them into the False Positive thread: http://forum.adlice.com/index.php?topic=235.0
And they will be fixed in the next update which will be quick.

We are also actively monitoring to fix a lot of them on our own.
Thanks for your support! :)

18
RogueKiller / ==> Crash/Hang/Block, please come here <==
« on: November 24, 2014, 09:50:25 am »
Hello
If you have a problem of RogueKiller crashing, please do the following:

---------------

Note on July, 30th 2015:
Just to let you know (I'll update the main post as well) that every BSOD issue will not be fixed now, for a very good reason:
We are in the process of redoing the driver from scratch for better performance and stability.

The driver is the thing that would cause 99% of the BSOD you encounter with (and caused by) RogueKiller, so hopefully once the new version of the driver is out the problem will be gone. Please be patient.

As a workaround you can switch driver off with -nodriver command line, or for Premium users by unchecking the Kernel driver in settings.

---------------

1. BSoD (Blue Screen), this is a driver crash:
  • Go to C:/windows/minidumps
  • Find the latests dump file, and upload it here (zipped please)

2. Application crash:
  • Restart the application
  • If it asks for sending crash information, please upload them. If not, follow 2.1
  • That's all you need to do

2.1 Application crash, manual dump:

3. Application is blocked/hangs on something:
  • Download Process Hacker or Process Explorer, and install it. Start it.
  • Restart RogueKiller
  • When it hangs, make a full dump of the process with Process Hacker/Explorer with a right click.
  • Zip it, upload it on http://upload.adlice.com.

Thanks!

19
RogueKiller / ==> Proc.Injected <==
« on: November 14, 2014, 09:51:58 am »
Hello,
If you encounter this detection, this can mean several things:

- A real infection (like Zeus, Carberp, Poweliks, they are all using that thing)
- Your antivirus injecting your processes to protect you (in theory).

To know what's going on, and possibly whitelist the cases where it's a legit injection, please do the following:
Let's say you have [Proc.Injected] some_process.exe -- C:/path_to_parent_some_process.exe

- Download Process Hacker: http://processhacker.sourceforge.net/downloads.php
- Install it, launch it
- Find the process above
- Right click on it => Create dump (on the desktop)
- Zip the file (winzip, winrar, 7zip)
- Host it anywhere you want (Google Drive, Dropbox, ...) Make sure it's public.
- Put the link here.

We will analyse what is really injected, and whitelist if needed.



20
Malware removal help / ==> Poweliks [Unique Thread] <==
« on: October 31, 2014, 08:49:07 am »
Hello
Many people are infected with this one these days.

The original infection page is here: http://www.adlice.com/poweliks-removal-with-roguekiller/
Here's the way to get rid of it:

- Download Process Explorer and RogueKiller
- Start RogueKiller, do the Prescan and the Scan. It must detect the registry keys/values related to Poweliks.
- Launch Process Explorer with admin rights (right click, start in admin), and kill tree on the parent dllhost process
- Do the removal.
- Reboot immediately

EDIT: Some users reported it's easier in Safe Mode.

21
RogueKiller / ===> False Positives <===
« on: October 20, 2014, 11:44:25 am »
This is a common thread to report all false positives.
Please put the entire line of the text report, no screenshot as much as possible.

Thanks :)

VT.Unknown specific case:
VT.Unknown means the file was unknown on Virus Total, and normally it has been uploaded at the same time.
So, after the file is uploaded, it's analysed by Virus Total. It can take a few hours.

If you redo a scan later enough, there's a high chance that the Virus Total report is available.
RogueKiller will grab it and not see it as unknown anymore (and not flag it).
Then depending on the VirusTotal results, if it's malware it will be flagged and you will see a VT.Something detection.

So, please when you see a VT.Unknown detection, it's because the file is quite new on the web.
Be patient, and redo a scan an hour later to check if it has changed. You can also upload it on VirusTotal by yourself to know if it's legit or not.

22
News/Updates / RogueKiller V10 Beta
« on: September 09, 2014, 01:32:37 pm »
Hello :)

I'm very pleased to announce that version 10 of RogueKiller is finally in public beta stage! Yay!  8)
After the version 9 which was a major update about the core (with new SDK), the version 10 is only about UI. We basically rebuilt the same program with Qt, but with small changes and UI fixes.

Please, download it, test it, but keep in mind it's still in beta. Though most of the bugs were fixed during the alpha stage, some may remain.
We are waiting for your feedback, tell us what's good, what's wrong, and provide as much information as possible (if you encounter a crash, please provide a full dump).

Please provide feedback on that thread, or if you won't register to the forum, use the contact form.

Download it here (that's a temporary link, don't rely on it):

No more beta links.



Known issues (to be completed):
  • Translations not updated
  • Binaries not signed

23
Please read this carefully before to post in this section for an issue.  ;)

1/ Please read the tutorial
You'll find many information about what can be considered as suspicious, legit, information about detection colors, etc...

2/ Please read the FAQ
Commonly asked questions.

3/ Please read the Known issues
Bugs already known. No need to ask again we are working on them.

If after that you still need to report something, or ask some help, please read the following.

========== If you need help

- Please provide enough information. The minimum is a text report. You can have one by clicking on "report" after a scan/removal in RogueKiller. If you missed it, reports are stored in %programdata%/RogueKiller/logs.

- You can provide screenshots as well.

- Please don't encapsulate images into docx files, or zip, or whatever. It takes time to open, and not very convenient to use.

- Please don't provide screenshot to show something that could be explained with the report (like a false positive). A report is better because we can copy/paste the detection instead or rewrite it (and avoid mistakes by doing so...).

- Please don't host images on websites, use the attachements instead (we don't wanna wait 30+ seconds to open each file).

========== If you report a bug/crash

- In case of a BSoD: Attach minidump (can be found after the reboot in C:/Windows/minidumps)
- In case of RogueKiller crash. Usually, after restarting the application, it's prompted to upload the crash dump. If you did it, nothing more to report. If you didn't, please open a thread a describe where it crashes. If you know how to use procdump, please provide a dump with it.

24
RogueKiller / Translations!
« on: June 05, 2014, 09:43:49 am »
Hello :)

EDIT: 12/28/2016
Current complete translations are: EN, FR, TU, PO, IT, CN, DE. All others are YET TO BE DONE! :)

EDIT: 10/01/2015
If you wish to be notified on new version of translations (thus that need an update), please subscribe to the Translators mailing list:
http://eepurl.com/bA7nOj

EDIT: 07/03/2016
We are now offering FREE LIFETIME licenses for our translators, because we know the amount of work it's needed for the new version (12). This only works for past translators, and for a full translation (If you update an existing file that won't work).

EDIT: 03/13/2017
Due to a refactoring, some translations are now moved into a "Common" folder, and some "Installer" folder has been added. Common translations are shared across several projects, and installer translations are only used into the installation wizard. They are all needed, so please make sure you translate everything

EDIT: 03/13/2017
Installer translations have a different format, but it's easy:
MyStringToTranslate=This is the actual string that you need to replace



We need translators !

Actually, we already have several languages available, but due to many updates and improvements, those translations are outdated.
If you willing to help and you are bilingual, please help use to improve those translations.

The files needed are available here: https://www.dropbox.com/sh/fuydwcwul2ye3ko/AAA3Eeqkvw7mTf1BeRibrFL7a?dl=0



- .ts files are the translations themselves.
- QTLinguist is the program needed to update the files
- .iss files are files for the installer, they need to be edited with Notepad++ (or any notepad)


Dropbox tries to open them as audio file. First, toggle the list view instead, that's better to see the file names. You have to click on the file, then when it says "cannot read the audio file", click on download. Put it on the desktop if you want.



Here's the way to translate .ts files:

1.If you didn't find your language, and you want to start a new one
- Pick the lang_template.ts file
- Rename it as lang_<your_language>.ts
- Download and extract QTLinguist
- Open the .ts file with it
- "Edit" menu, "Translation file settings" => Select your language in Target language and validate.

2.If you want to update an existing translation
- Pick the lang_<your_language>.ts file
- Download and extract QTLinguist
- Open the .ts file with it

3.Common part
- Use the "Go next unfinished" button to go to first item
- Translate it
- Use the "Mark as finished" button to validate the translation and go to next item
- Redo that until everything is translated and save

(See attached image)

- Please try to make the sentences (if any) the shortest as possible
- Submit your translation on the forum, in this thread :)

If you want more information about QTLinguist, here's the official documentation: http://qt-project.org/doc/qt-4.8/linguist-translators.html



Here's the way to translate .iss files:

1.If you didn't find your language, and you want to start a new one
- Pick the en.iss file
- Rename it as <your_language>.iss
- Open the .ts file with any notepad (Notepad++ for example)
- Translate the part that is the RIGHT of the equal sign (Ex: some_key=Hello => some_key=Bonjour), leave the key untouched.

Thanks!



25
News/Updates / RogueKiller V9 beta
« on: May 23, 2014, 11:55:06 am »
Hello :)

I'm very pleased to announce that version 9 of RogueKiller is finally in public beta stage! Yay!  8)
It took about 2 months+ to redo everything from scratch. From your point of view, it will not change a lot because we tried to redo the same software with (under the hood) a very strong and reliable architecture, easier to maintain and more powerful against malware.

So the UI is pretty much the same, we just did a few cosmetic changes to differentiate from the version 8.
Here's the logbook of the devs, which explains what exactly has changed:  http://www.adlice.com/roguekiller-9-tracks/

Please, download it, test it, but keep in mind it's still in beta. Though most of the bugs were fixed during the alpha stage, some may remain.
We are waiting for your feedback, tell us what's good, what's wrong, and provide as much information as possible (if you encounter a crash, please provide a full dump).

Please provide feedback on that thread, or if you won't register to the forum, use the contact form.

Download it here (that's a temporary link, don't rely on it): http://www.surlatoile.org/RogueKiller/RogueKillerV9.exe



Known issues (to be completed):
  • Command line not implemented yet

Current dev changelog:

V9.0.0 beta 2 05/23/2014
=================
- Fixed a bug in MBR log
- Fixed a bug in Service log
- Fixed a bug in log (RTL characters removed, ZeroAccess)
- Replaced SUSP PATH label by Suspicious.Path
- Removed Chrome.exe IAT/EAT scan
- Fixed 3 bugs in IEAT/EAT display (process is displayed / legit entries are hidden / fixed size of function in console display)
- Now suspicious services registry keys are not prechecked (to avoid confusion with true malware)
- Disabled Forged files removal (except if contains malware signature), due to some false positives
- Fixed a bug in Registry subkey removal (ZeroAccess)
- Fixed a bug in File replacement (added ACL copy before replace, Zekos)
- Fixed a bug in ListView sorting (was too slow)
- Added detections

V9.0.0 beta 1 05/22/2014
=================
- Added crash handler window
- Reports are now translated
- Added missing translations
- Added hover event for Facebook / Paypal links
- Added fancy Facebook button
- Replaced old icons by high res icons
- Added detections
- Fixed a bug in ComManager

V9.0.0 alpha5 05/21/2014
=================
- Brand new high res icon! (thanks nfn678 from deviantart.com)
- Now sending statistics to adlice.com webserver database
- PUM color detection is now Dark Gray
- Added web browser scan
- Added stop button (during scan only)

V9.0.0 alpha4 05/20/2014
=================
- Added context menu select/unselect all
- replaced old MBR display by a listview
- added MBR scan
- fixed carriage return bug in reports
- fixed bad driver decryption
- added Hooks scanner

V9.0.0 alpha3 05/19/2014
=================
- Fixed a bug when exiting with file menu
- Added hosts fix button (hosts tab)
- Fixed window names bug (massive false positive)
- Added true version number comparison for version checker
- Fixed elided text bug
- Added report footer
- Now general progressbar is used as progression
- Now displays fine progression
- Added file scanner

V9.0.0 alpha2 05/16/2014
=================
- Fixed a crash in Yara scanner on some processes
- Fixed a bug in Hidden processes detection
- Fixed a bug in report module, prescan results were removed from reports
- Fixed display bug (wrong X64 display in title)
- Fixed crash handler, now crash dumps will be located in %ProgramData%/RogueKiller/Debug
- Fixed display bug. After removal, status of items was not updated.
- Added Hosts file support
- Added Hosts file line removal
- Removed Proxy, DNS and Shortcut buttons/tabs

V9.0.0 alpha1 05/14/2014
=================
- Rewritten engine from scratch ( RKSdk V1 )
- Moved to Yara scanner
- Fixed a lot of bugs

26
RogueKiller / Known issues
« on: April 05, 2014, 02:26:45 pm »
Hello.

This topic concerns know issues of RogueKiller.
They will be listed here, waiting for the version 9, because we can't release a 8.X version for now.

So please look at this issues before asking regarding a new bug.
All these bugs will be fixed within version 9.

1- Search is looking in reparse points. Because of that bug, some report can look like this:


[username][SUSP PATH]  : C:\Users\Franck\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Quarantine.exe -> TROUVÉ



2- Hidden processes found
This is 99% a false detection, hidden process detection has still some issues.

[Proc.Hidden]  -- -> KILLED [TermThr]

3- ZeroAccess/Whatever found in Antivirus process
This is a false detection, due to database loaded in clear in the antivirus process. Please open a new thread on the forum and DUMP the process memory with process explorer to confirm and whitelist.


27
News/Updates / Email activation with GMAIL
« on: February 06, 2014, 08:44:10 am »
Some of you are probably not receiving email activation if you register with a GMAIL account. :/
This is a problem of server configuration, we are working on it.

28
RogueKiller / RogueKiller blocks on ProcessTree
« on: February 03, 2014, 10:27:20 am »
EDIT 02/18/2014. This is not fixed. We still need debug informations please.


Hello
This is a known issue, but we are unable to fix it due to lack of information.
If you have this problem, please follow the instructions below in order to help us fixing this issue.  :)

- Download the debug version: http://www.sur-la-toile.com/RogueKiller/RogueKiller_DEBUG.exe
- Launch it.
- When it blocks, go to : %Desktop%/RK_Quarantine folder and copy the debug.log file on the desktop.
- It can be huge, so please remove all but the last 100 lines with a text editor like notepad. Save it.
- In this thread, attach this tiny report and please provide your OS information with it (Windows XP, Windows 7 64 bits/32 bits, ... )

Thanks in advance :)



29
RogueKiller / FAQ ( Frequently Asked Questions)
« on: January 31, 2014, 11:41:19 am »

30
General Discussion / Introduce yourself
« on: January 30, 2014, 03:45:40 pm »
Hey :)
Unique topic for introducing.
Please introduce yourself here.

Myself:
Tigzy, owner of Adlice.com. Developer of RogueKiller and some other tools.
Live in France.

:)

Pages: 1 [2] 3