Nice Software: possible flaw in functionality

[BeanAnimal]

While this software has proven to be useful, especially regarding the registry virus variants, it is by no means a universal malware/virus removal tool (there is no such thing). That means that as useful is the tool is, it often has to be used with other tools in the toolbox to clean an infected machine.

Anybody who has spent any time cleaning an infected machine knows that the act of opening a browser before the machine is fully clean can cause a reinfection or even make the infection worse. That simple fact raises a question regarding RK opening a browser session after PRE-SCAN and then again after CLEANUP

POST EDITED by BeanAnimal to simply state the issue.

[Tigzy]

What else to say?
Maybe "hello" could be a good thing...

Seriously, where the heck did you see "universal malware removal tool with 100% accuracy" ? Nowhere.
Then, there's NO pop-up. There's only 1 (yes, you've read one) website opening after the prescan "Thanks for downloading blabla". That one will never be shown again, that sounds logical,  you only download once.
After the scan, it opens the website ONLY if an infection is found, just to help providing information about it, help during the removal process and provide support if needed (contact form, forum, ...). Lot of people downloading RogueKiller don't even know that support exists.

To finish, if you don't find RogueKiller useful I see only one choice : Do not use it anymore. Hey, that's free, you never signed a contract nor paid for it.

Enjoy your day, try to relax.

[BeanAnimal]

What else to say?
Maybe "hello" could be a good thing...

Seriously, where the heck did you see "universal malware removal tool with 100% accuracy" ? Nowhere.

I think you missed the (rather clearly articulated) point. As there is no perfect tool, we usually have to use multiple tools to remove an infection. In that context, it is purely asinine that YOUR tool initiates a browser sessions (at least twice) in the context of cleaning an infected system. Opening a browser session (regardless of the reason) often causes a re-infection of already moved components.

 

Then, there's NO pop-up. There's only 1  (yes, you've read one) website opening after the prescan

Heh... there's none, but there is only one? Either there is or there isn't, and of course we both know there is. Or are we going to ignore the context of the issue and quibble about the actual definition of "popup"?. POINT BLANK, your tool initiates a browser session after the pre-scan and that process often kicks off more malware processes that may have been terminated by tools used before RK during the cleanup process.

"Thanks for downloading blabla". That one will never be shown again, that sounds logical,  you only download once

You are missing the point (again), it is not logical, it is counter productive to the cleaning process. If you want a "blabla" advert, then put it in the freaking interface instead of opening a browsing session.

After the scan, it opens the website ONLY if an infection is found, just to help providing information about it, help during the removal process and provide support if needed (contact form, forum, ...). Lot of people downloading RogueKiller don't even know that support exists.

If your tool is unable to fully clean the infection, then popping open a browser window will often times re-infect the machine and/or spread the infection. This is malware removal 101 and you are ignoring it (twice).

So again, this information (support and contact information) should be native to the interface with maybe a link to the infection information that would give the tech the OPTION of opening a browser session to view it...

To finish, if you don't find RogueKiller useful I see only one choice : Do not use it anymore. Hey, that's free, you never signed a contract nor paid for it.

The fact that the tool is useful was clearly articulated (at least 3 times).

Post title "Nice software..."
First sentence in post "...this software has proven to be useful, especially regarding the registry virus variants..."
Second sentence in post "...That means that as useful is the tool is..."

The issue is with your decision to initiate (two) browser sessions during the cleanup process. Your responses here appear to answer my initial question posted in the title of this thread.

Regarding "free" and "contract". I did not set the price or terms of use, you did and I did not mention or complain about the cost. Free or paid would not change the issue regarding the poorly thought out browser sessions. I suspect that part of your motivation is ad ad-revenue related. I have no issue with you covering your development costs or even becoming filthy rich by the sale of your software or ad-revenue related to your site. The sentient does not change the fact that initiation a browser session (twice) during the cleanup process is an utter fail in logic.

[Tigzy]

Opening a browser session (regardless of the reason) often causes a re-infection of already moved components.

No. Give me ONE example of malware that's able to self-downlad and run itself from a random website. You know it's false, because most people are disinfected by internet (forums) and they never run into issues like that, either you're a liar, or you obviously don't know what you are talking about.

Heh... there's none, but there is only one?

There's a website opening, this is not a popup.

You are missing the point (again), it is not logical, it is counter productive to the cleaning process. If you want a "blabla" advert, then put it in the freaking interface instead of opening a browsing session.

This is not to you to tell where I should open my website. Websites are designed to run into web browsers, not random applications. That's best practice and better UX.

If your tool is unable to fully clean the infection, then popping open a browser window will often times re-infect the machine and/or spread the infection

Again, NO. You know what? malware doesn't need browser to communicate.

I suspect that part of your motivation is ad ad-revenue relate

No, that's because (as I said) most people don't know how to interpret the reports, and showing a webpage related to the most important infection is a way to give them the opportunity to understand it, find the support they need and remove it without any collateral damages. They usually appreciate it.
That's the first time someone complains about it.

Anyway, despite all of this, I've already opened a ticket to deactivate those website callbacks with a setting.

[BeanAnimal]

Sir, I am not sure if there is some type of language barrier here and you are actually missing the point, or you are simply being obtuse due to my very forward initial post. Sorry we got off (my fault) on the wrong foot. Let me try to kindly make my point with the statement of a few simple facts.

• Opening a browser session (be it IE, Firefox, Chrome, whatever) causes numerous registry, system hook, executable and DLL calls. Any of these items can be infected and/or re-initiate infection of other items if given the chance to run. This is the reason that when cleaning a PC we do not run a browser or other process, other than the cleaning tools themselves.
• It often takes a progression of tools to clean an infection. Your tool may be a part of that progression of tools. If a given tools is run before your tool and that tool shuts down infected processes, your tool has the real world probability of restarting the infected processes that the previous tool shutdown because it opens a browser.
• "website" and "popup" are the same thing, a browser window. In context here, the content is not relevant.
• What you decide to do with the observations and advice are your prerogative. Clearly, you are free to do anything you please. I am just pointing out a design flaw in an otherwise wonderful tool.

Good to hear that you have considered making functionality optional.

[Tigzy]

Opening a browser session (be it IE, Firefox, Chrome, whatever) causes numerous registry, system hook, executable and DLL calls. Any of these items can be infected and/or re-initiate infection of other items if given the chance to run. This is the reason that when cleaning a PC we do not run a browser or other process, other than the cleaning tools themselves.

As well as opening any third party tool. A browser is just that, a third party tool connected to the internet.
Which application doesn't nowadays?

It often takes a progression of tools to clean an infection

I know that, I've been on the removal forums for 5 years.

I understand your point of view, however I don't think there's enough threats ITW with this very specific (and complicated) behaviour to initiate a change in the way we are providing information to the user.

EDIT: I think I understand what you mean now. Ex: file association hook can cause web browser opening to start an infected process instead (Rogue name changer, last year). I'll consider having a command line switch to avoid any start of process (notepad can also be a problem). Thanks for pointing it, and sorry for the language pressure.

[BeanAnimal]

EDIT: I think I understand what you mean now. Ex: file association hook can cause web browser opening to start an infected process instead (Rogue name changer, last year). I'll consider having a command line switch to avoid any start of process (notepad can also be a problem). Thanks for pointing it, and sorry for the language pressure.

Thank you for taking the time to understand. Like I said, the tool itself has been very useful, especially for the registry infection variants that are starting to make the rounds again.

Let me explain part of my frustration that caused me to post in the first place:

As you know, many infections are the result of droppers or have droppers built in. Infections are now sold as a commodity and an infected system may end up having multiple different infections in a short amount of time. I recently had to clean several machines that were infected with a poweliks variant, along with TDSS and a nasty BHO. To make a long story short, when RK opened the browser, the system was re-infected by BHO that combofix had already shut down. The BHO was putting the rootkit back and then I would have to start all over. I had to remove the disks from each of the PCs and clean them offline and THEN run RK to find and remove the poweliks. Very frustrating....

Thank you again for recognizing the opportunity to improve the software.

Thread title changed and initial post reworded to remove everything but the basic point I was trying to make.

[Tigzy]

I've implemented a quick fix for that, by adding 2 command line parameters:
-nopop (no web browser opened)
-nothirdparty (no 3rd party software at all, you won't be able to open the report in the end)

It's for the next release, documentation will be updated. In long term, a "settings" menu will be available to toggle such feature.

[schmidtrg]

I'm glad you guys finally got on the same page. While I agree with the OP, it could have been a bit more tactfully. But I'm always leery of using anything that opens a browser window when trying to remove malware/viruses. Too many possibilities for issues - host/lmhost entries-proxy hijacks - possible roque scheduling to reinfect, etc.


So yes, I agree with the Orig. Poster in that as far as hunting and removing malware and virues, browser windows should always be a no-no.

[schmidtrg]

Oooops, forgot the Hello,


And just a follow up. I do want to thank you in that RK was the only app that allowed me to kill and remove the Poweliks infection (via the kill the dllhost.exe with process explorer, and then kill the infection with RK.

Kudos on that.

As a side note, does anyone know of a registry editor tool that allows the characters that prevent the standard regedit app from being able to
display the keys that poweliks inserts? It would have been nice to be able to see the key, and be able to know absolutely after hoping the
infections have been removed to check under a registry review manually. I have no doubt that since this is such a successful malware
infection that there will be variants - and having an editor that can display hidden characters would be beneficial.


At any rate, thanks again. It sure was nice to see the surrogates go away.

[Tigzy]

You can with RogueKillerCMD
Other than that, dumping the parent key in hive format, and open it with hex editor.
You'll need the ntreg (un)documentation: http://sentinelchicken.com/data/TheWindowsNTRegistryFileFormat.pdf

[BeanAnimal]

Jaw dropping...

I just downloaded the latest version to aide in a stubborn cleanup. Not only have you arrogantly refused to change the functionality, but you are now forcing THREE browser sessions.


The first when the software opens, the second after the initial startup scan and the third when the scan is complete.

Clearly, your motives here are page impressions for your Google ad impression profits (and/or simply arrogant vanity).  As clearly pointed out in the previous comments, opening a browser sessions WHILE CLEANING A PC is a very poor idea.. .and your software does it AT LEAST three times during the process. Every other reputable package out there forces browser sessions to close and here you are doing the opposite...

Again sir, this is clearly and arguably poorly implemented logic and instead of changing it in the new release, you have doubled down on it. Nice job!

[Tigzy]

There's only 1 browser session in the 10.0.6, and only if you're infected with somthing.

The "thanks for downloading" is opening just once. At first run, then it's gone.
The session you mentioned is here after the scan, not after prescan

To finish, there's a -nopop -nothirdparty command line that you can use to avoid this;
Remember, I did it for you a couple months ago, I can't believe you haven't tried it yet...

http://forum.adlice.com/index.php?topic=184.msg666#msg666 <= Caution, a jump in the past

[BeanAnimal]

There's only 1 browser session in the 10.0.6, and only if you're infected with somthing.

I think you are (again) engaging in fuzzy math the same way you did at the beginning of the thread. NONETHELESS, WHY IN THE WORLD WOULD YOU OPEN A BROWSER SESSION ON A PC THAT YOU ARE TRYING TO CLEAN? 

The "thanks for downloading" is opening just once. At first run, then it's gone.

So when YOUR tool is run in conjunction with OTHER tools, your tool OPENS A FREAKING BROWSER WINDOW that has the real world side effect of re-infecting components that have already been cleaned by the other tools. This was already pointed out several times. You simply choose to ignore it in favor of the popup that generates revenue for you.

The session you mentioned is here after the scan, not after prescan

Like I said, your product initiated a browser session THREE times. Lets just say I ma crazy and it is only TWO times. That is TWO TIMES TOO MANY. What don't you get about that?

To finish, there's a -nopop -nothirdparty command line that you can use to avoid this;
Remember, I did it for you a couple months ago, I can't believe you haven't tried it yet...

Why relegate it only to command line? Of course, because most folks DON'T use the command line and the goal here is browser impression right?

The bottom line: Your product works just fine but your decision to use browser sessions (for whatever reason) is an extremely poor decision that hinders the overall quality of your product.

I assume that your decision to use the browser sessions is revenue based, given the fact that your pages are adorned with targeted advertisements. In that case, I highly doubt that you are going to change the functionality. I certainly have no issue with revenue generation or for that matter, even obscene profits. In that context, I understand your desire for the browser sessions, but they hurt the function of the software. In any case, I have said my two cents and will not bother you again about this.

[Tigzy]

NONETHELESS, WHY IN THE WORLD WOULD YOU OPEN A BROWSER SESSION ON A PC THAT YOU ARE TRYING TO CLEAN?

Told you already, please scroll up, everything has been discussed before.

Here's the answer:

No, that's because (as I said) most people don't know how to interpret the reports, and showing a webpage related to the most important infection is a way to give them the opportunity to understand it, find the support they need and remove it without any collateral damages. They usually appreciate it.
That's the first time someone complains about it.

Why relegate it only to command line? Of course, because most folks DON'T use the command line and the goal here is browser impression right?

Because of what I told you.
Sorry but I'm tired to repeat again and again. This has been studied, and there's no problem at all.
Use the command line for those 1% of infections you're talking about, or use another tool. Seriously.

you know what? There's no add in the pages you are talking about. They are on the template page, but they are never clicked because people are just either closing the page, or read the text. No click is needed, and so there's no "obscene profit", like you said.

If you plan to re-open that thread in 2 weeks or so, look at that red bold big text.