Pre-scan block & maybe false positive

[rk_doubt]

hi fellows thanks in advance for your advanced program.
I would like to give my feedback on, so started on 2 different S.O.

On W7 work flawlessly despite found some false positive red threats associated with a detect program (for updating) of producer brand of pc

On XP Sp3:

1) very hard just to start it. I've tried with portable and installer version but either stuck on pre-scan and you can't help but reset S.O. cause everything is blocked (task manager, keyboard and mouse arrow)
So re-launch it in safe mode and finally it works.


2) At the end of scan i've found this log

Code: [Select]

RogueKiller V10.5.7.0 [Mar 22 2015] di Adlice Software
posta : http://www.adlice.com/contact/
Commenti : http://forum.adlice.com
Sito Web : http://www.adlice.com/softwares/roguekiller/
Discussione : http://www.adlice.com

Sistema Operativo : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Iniziato in : Modalità Sicura
Utente : utente [Amministratore]
Iniziato da : C:\Documents and Settings\utente\Documenti\Downloads\RogueKiller.exe
Modalità : Scansione -- Data : 03/25/2015  23:08:47

¤¤¤ Processi : 0 ¤¤¤

¤¤¤ Registro : 5 ¤¤¤
[PUM.Desktop] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Trovato
[PUM.StartMenu] HKEY_USERS\S-1-5-21-484763869-602162358-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> Trovato
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_W_4B42\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trovato
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_W_4B42\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Trovato
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Trovato

¤¤¤ Attività : 0 ¤¤¤

¤¤¤ Archivi : 1 ¤¤¤
[File.Forged][Archivio] CDUDF.SYS -- C:\WINDOWS\system32\drivers\CDUDF.SYS -> Trovato

¤¤¤ Archivio Hosts : 1 ¤¤¤
[C:\WINDOWS\system32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Non caricato [0x2]) ¤¤¤

¤¤¤ Web Browser : 0 ¤¤¤

¤¤¤ Controllo MBR : ¤¤¤
+++++ PhysicalDrive0: Maxtor 6Y080L0 +++++
--- User ---
[MBR] 6e95574ecc03410bedb2dfebc9fb683a
[BSP] 2463887d4bc98492808f76efcdfccc69 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 51199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 104856255 | Size: 26960 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! NOT VALID!

+++++ PhysicalDrive1: MAXTOR 6L020J1 +++++
--- User ---
[MBR] ad5c0416b8b175b3dbd8f285eb57d39c
[BSP] f261d79ad119592be851ba6b5bd2211b : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 19594 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! NOT VALID!


It seems that CDUDF.SYS was the problem (also MBAR reported it as forged and deleted) but at every boot it reappears.
i've analyzed it with lot of programs also on virustotal, you can watch https://www.virustotal.com/it/file/0ef441ac9d748ad2d5b916ae6a79c5faa6fc6b7513144f1c6578635d633cfc87/analysis/1427364566/ here but everything seems good.

Can you tell me how can resolve the block in normal mode launch and if you can guarantee there's not any problem on that log?

[Curson]

Hi rk_doubt,

Welcome to Adlice.com Forum.

On W7 work flawlessly despite found some false positive red threats associated with a detect program (for updating) of producer brand of pc

Could you please post the report you obtained ? We strive to fix as many false postives as possible.

I've tried with portable and installer version but either stuck on pre-scan and you can't help but reset S.O. cause everything is blocked (task manager, keyboard and mouse arrow)

Could you please relaunch RogueKiller in normal mode using option -nokill ?
If you need help with the programm, please refer to RogueKiller Official tutorial.

[File.Forged][Archivio] CDUDF.SYS -- C:\WINDOWS\system32\drivers\CDUDF.SYS -> Trovato

This driver is certainly legit. However, we are going to double-check.

• Please download TDSSKiller and save it to your Desktop.
  
• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
  
  
• Check Loaded Modules and Detect TDLFS file system. 
  
• If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
  
  
  
  
• Click Start Scan and allow the scan process to run.
  If threats are detected select Cure/Deletefor all of them.
  
• Click Continue
  
  
  
  
• Click Reboot computer
  

Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.
Additionally, zip the following directory :

C:\TDSSKiller

Host it anywhere you want (Google Drive, Dropbox, ...) but make sure it's public.
Put the link here.

Regards.

[rk_doubt]

Hi rk_doubt,

Welcome to Adlice.com Forum.

Thank you Curson, really enjoy your kindness.
 

On W7 work flawlessly despite found some false positive red threats associated with a

detect program (for updating) of producer brand of pc

Could you please post the report you obtained ? We strive to fix as many false postives as possible.

I'm sorry, but now can't physically access to it (a friend laptop) but i rember it was sure about Dell, something like Dell Detect.

I've tried with portable and installer version but either stuck on pre-scan and you can't

help but reset S.O. cause everything is blocked (task manager, keyboard and mouse arrow)

Could you please relaunch RogueKiller in normal mode using option -nokill ?
If you need help with the programm, please refer to

RogueKiller Official

tutorial.

I'd like to try but in the RogueKiller can't find this option just because after 2-3 second it stuck and i must reboot.

[File.Forged][Archivio] CDUDF.SYS -- C:\WINDOWS\system32\drivers\CDUDF.SYS -> Trovato

This driver is certainly legit. However, we are going to double-check.

Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.
Additionally, zip the following directory :

C:\TDSSKiller

That's it https://www.sendspace.com/file/7t37nb

but i can't find the TDSSKiller folder in C:\

Thank you for your support!

[Curson]

Hi rk_doubt,

Yu are very welcome.

I'm sorry, but now can't physically access to it (a friend laptop) but i rember it was sure about Dell, something like Dell Detect.

That's no big deal. I should be able to figure it out by myself.

I'd like to try but in the RogueKiller can't find this option just because after 2-3 second it stuck and i must reboot.

- Please download RogueKiller latest version and save it to your desktop.
- Press the "Windows Key" + R and enter the following command :

Code: [Select]

"%HOMEDRIVE%\%HOMEPATH%\Desktop\RogueKiller.exe" -nokillRogueKiller sould run just fine.

That's it https://www.sendspace.com/file/7t37nb

but i can't find the TDSSKiller folder in C:\

TDSSKiller didn't detect the file CDUDF.SYS, so it's OK.

Regards.

[rk__doubt]

- Please download RogueKiller latest version and save it to your desktop.
- Press the "Windows Key" + R and enter the following command :

Code: [Select]

"%HOMEDRIVE%\%HOMEPATH%\Desktop\RogueKiller.exe" -nokillRogueKiller sould run just fine.

[Curson]

Hi rk__doubt,

Are you the same person owning the account named rk_doubt ?
Do you still need help ?

Regards.

[rk__doubt]

hi curson, yeah i'm still here (sorry but i've lost my previous pass).  I really can't imagine why my answer in the previous post was badly formatted after the quote but anyway i still thank you for your kind support.
I wrote that i tried to launch last version of RogueKiller (both portable and setup) but also with nokill options i have to reset pc because it always stucks. So i think there's some hard incompatibility with my XP

[Curson]

Hi rk_doubt,

You are welcome.
Did your try using the following form to recover your account ? Authentication Reminder

Which version of RogueKiller did you use in this last scan ?

Regards.

[rk__doubt]

The last version i used was 10.5.10 and it blocked cpu (with no-kill feature) like 10.5.7 

Regards

[Curson]

Hi rk_doubt,

RogueKiller version 10.6.0 is out.
Could you please give it a try ?

Regards.

[rk__doubt]

Hi Curson, I've tried v10.6 (also the old-Gui this time) with no kill option, and same bad outcome.

[Curson]

Hi rk_doubt,

Let's try another thing :
1) Download RogueKiller (x86) and save it on your desktop.
2) Download ProcDump and extract procdump.exe on your desktop.
3) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :

"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x %USERPROFILE%\Desktop "%USERPROFILE%\Desktop\RogueKiller.exe" -nokill

Do not close the command prompt !

4) RogueKiller will be launched and, when the system hang, wait for a few minutes before resetting it.
5) A new file named RogueKiller.exe_<datetime>.dmp should has been created on your desktop. Please zip it, upload it on Google Drive/Dropbox and share the link here.

Regards.

[rk__doubt]

Hi Curson, thanks for your support.

I've done what you ask me with some problems:

1) after the first code row in the command prompt appears an error "can't find...".
That error seem to disappear if i cut the green text
"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x %USERPROFILE%\Desktop
2) the second row code starts roguekiller (1.6.1) and hangs (as usually ) but after resetting (10 minutes waited) i don't find any file .dmp on desktop.
I've made a search in all the pc but nothing was found.

I'll wait for your advise, but if you think it's time to give up, don't feel sorry to tell me. I'm very grateful for your kind help.

[Curson]

Hi rk_doubt,

The code stands on one line and must be pasted as such. Here it is using the "code" formating :

Code: [Select]

"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x %USERPROFILE%\Desktop "%USERPROFILE%\Desktop\RogueKiller.exe" -nokill
Could you please retry, please ?

Regards.

[rk__doubt]

Code: [Select]

"%USERPROFILE%\Desktop\procdump.exe" -e -h -ma -accepteula -x %USERPROFILE%\Desktop "%USERPROFILE%\Desktop\RogueKiller.exe" -nokill

Thank you Curson, sorry but i have to repeat that what happen after code is nothing as you can see. Only if cut the central piece of code (%USERPROFILE%\Desktop) the things start but don't get me the .dmp file