This is the official RogueKiller Documentation, a malware removal software which can be downloaded here. The documentation is a complete help regarding scan modules and detections, completing what can be found in the tutorial.

 

INSTALL DIRECTORY

 
RogueKiller stores persistent data in %programdata%/RogueKiller.
Subfolders are the following just for your information. You are not supposed to modify anything in them.

  • Logs: Contains reports
  • Quarantine: Contains quarantined items
  • Debug: Contains MBR dumps, and crash dumps (if any)

 

SCAN

The scan is triggered with the Start Scan button. The scan is a processing that does not modify the system, because it lists the problems and display them. Once the scan finished, a text report is available by clicking on the Report button (you can export it in HTML, text or json format).

scan_custom

 

DETECTION COLORS

In RogueKiler, detection colors are normalized.

  • Red: Known malware – Highest detection rate
  • Orange: Possible malware – Often has a suspicious path, or is tagged as PUP (Potentially Unwanted Program)
  • Gray: Possible malicious modification – Often not the default system value, or is tagged as PUM (Potentially Unwanted Modification)
  • Green: Not known as malware – This means the item is displayed just for information, but isn’t supposed to be removed (except if you decide it is)

 

DETECTION NAMES

 
PUMs (Potentially Unwanted Modification):

  • PUM.Dns [Possible DNS Hijack: Please verify IPs on Google before fix those lines. If IPs aren’t registered in your own country, fix them.]
    Example: [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E2BCE143-2E7F-4A16-B8B4-029B4F193911} | DhcpNameServer : 10.207.255.130 10.207.255.130 -> FOUND
  •  

  • PUM.DesktopIcons [Possible desktop icons hijack. Those lines when only PUMs are detected should be ignored, because they probably result of a user configuration]
    Example: [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
  •  

  • PUM.Proxy [Possible unwanted proxy configuration. If you didn’t set a proxy voluntary, then you should remove those lines]
    Example: [PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> FOUND

PUPs (Potentially Unwanted Program):

  • PUP [Program is potentially unwanted. It may has been installed from a bundled installer, or by another program]

 

DELETION

The deletion is triggered by clicking on the Remove button. Before, you need to verify the results of the scan, and check or uncheck the items for removal.

If some items look legit, you have the possibility to uncheck them before the deletion (and notify them to the team by email, please). Unlike the scan, the deletion modifies the system, because this is the way malware must be removed. However, every modified item is quarantined first.

Once the deletion finished, a text report is available by clicking on the Report button. The program may ask to reboot the PC. If that happens, you should accept because some malware can only be removed after a reboot and could be reactivated otherwise.

 

PROCESSES/SERVICES

 
Processes:
[Suspicious.Path] malware_proc.com — C:\temp\malware_proc.com[7] -> Killed [TermProc]
[Suspicious.Path] malware.exe — c:\temp\malware.exe[-] -> Killed [TermProc]
[Detection name] Process name — Process path [File signature] -> Kill status [method]
 
DLLs:
[Suspicious.Path] rundll32.exe — C:\temp\inject.dll[-] -> UNLOADED
[Detection name] Process name — DLL path [File signature] -> Unload status
 
Services:
[Tr.Attraps] (SVC) sshnas — C:\sshnas.exe[-] -> STOPPED
[Detection name] (SVC) Service name — Service binary path [File signature] -> Status

 

REGISTRY

 
Registry values:
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | test : C:\temp\malware.exe -> FOUND
[Shell.HJ] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : c:\temp\malware.exe -> FOUND
[Detection name] (X64) [64 bits view] (Nothing) [32 bits view] Registry key | Registry value : Registry data -> Status
 
Registry keys:
[Rogue.BlueFlare] HKEY_CLASSES_ROOT\CLSID\{19090308-636D-4E9B-A1CE-A647B6F794BF} -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> FOUND
[ZeroAccess] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\userinit -> FOUND
[Detection name] Registry key -> Status

 

TASKS

 
[Suspicious.Path] task_test.job — C:\WINDOWS\system32\rundll32.exe (“C:\temp\malware.dll, blabla”) -> FOUND
[Detection name] Task folder \ Task name — Task target (Parameters) -> Status

 

HOSTS FILE

The Hosts file is a Windows configuration file, allowing to make redirections of domain names to some IPs. We usually use it to forbid access to a website, or to bind local addresses (ex: 192.168.1.12) to a textual address (ex: http://test.com). Here’s some legit redirections examples:

127.0.0.1 localhost (by default in the windows hosts file)
127.0.0.1 www.malware_website.com (prevent the access to a dangerous website)
192.168.1.12 my_local_website (bind a textual address to a local IP)

Malwares can use it to redirect legit web addresses to malware servers, and by the way infect new users. Here’s an example of malware usage:

123.456.789.10 www.google.com (redirect a well known website to an unknown IP – the malware server)
165.498.156.14 www.facebook.com (redirect a well known website to an unknown IP – the malware server)

[C:\WINDOWS\system32\drivers\etc\hosts] 127.0.0.1 localhost
[C:\WINDOWS\system32\drivers\etc\hosts] ::1 localhost
[C:\WINDOWS\system32\drivers\etc\hosts] 123.456.789.000 www.facebook.com [Hj.Hosts] -> FOUND
[C:\WINDOWS\system32\drivers\etc\hosts] 123.456.789.000 www.google.com [Hj.Hosts] -> FOUND
[Hosts file path] Hosts line [Detection Name (If malicious)] -> Status (If malicious)

These lines must be removed.

 

FILES/FOLDERS

 
Files:
[Suspicious.Startup][Fichier] netc.exe — C:\Documents and Settings\tigzy\Menu Démarrer\Programmes\Démarrage\netc.exe -> FOUND
[Detection name][Type] File name — File path -> Status
 
Shortcuts:
[Suspicious.Path][Fichier] malware.exe.lnk — C:\Documents and Settings\tigzy\Menu Démarrer\Programmes\Démarrage\malware.exe.lnk [LNK@] C:\temp\malware.exe -> FOUND
[Detection name][Type] File name — File path [LNK@] Shortcut target -> Status
 
Folders:
[Tr.Karagany][Repertoire] shed — C:\Documents and Settings\tigzy\Application Data\Adobe\shed -> FOUND
[Detection name][Type] Folder name — Folder path -> Status
 
Junctions/Reparse point:
[ZeroAccess][Jonction] $NtUninstallKB1111abc$ — C:\WINDOWS\$NtUninstallKB1111abc$ [JUNCTION@ a0000003] >> \??\C:\Windows\temp -> FOUND
[Detection name][Type] File name — File path [JUNCTION@ Junction tag] >> Junction target -> Status

This notation tells whether a file is signed/verified and exists.

  • [7] File is Signed and Verified (digital signature exists and is valid)
  • [-] File isn’t Signed, or its digital signature is not valid
  • [x] File doesn’t exist

 

ANTIROOTKIT

The Antirootkit displays information about possible system modifications made by a rootkit:

System Service Dispatch Table (SSDT) – Shows the hooked APIs.
Shadow SSDT (S_SSDT) – Shows the hooked APIs.
Inline SSDT – Shows the APIs hooked with hot patching.
IRP hook – Shows the drivers with hooked major functions.
IAT/EAT hooks – Shows the process with DLLs containing injected code.

Important: System modifications listed by the Antirootkit are for INFORMATION ONLY. They cannot be checked for removal because they are not the malware itself, just a consequence of a possible malware. Removing such item would be useless and potentially dangerous for system stability.

 
The kernel hooks (not legit) are listed in the report and in the Antirootkit section:

¤¤¤ Antirootkit ¤¤¤
SSDT[119] : NtOpenKey @ 0x80624BA6 -> HOOKED (\??\C:\WINDOWS\TEMP\rqmqbqga.sys @ 0xF783E562)
SSDT[57] : NtDebugActiveProcess @ 0x80643B3E -> HOOKED (Unknown @ 0x89C30200)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x89C302F0)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x89C306D0)
IRP[IRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB7DF3B40)
IRP[IRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB7DF3B40)
IRP[DriverStartIo] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB7DF1864)

 
EAT/IAT hooks:
[IAT:Addr] (explorer.exe) ntdll.dll – NtOpenProcess : C:\windows\SYSTEM32\injected.dll @ 0xabc12345
[EAT:Addr] (iexplore.exe) ntdll.dll – NtCreateProcess : C:\windows\SYSTEM32\injected.dll @ 0x6cd6640e
[Table type:Hook type] (Process name) Origin module name – Function name : Detour module path @ Detour function address
 
SSDT/Shadow SSDT hooks:
[SSDT:Addr(Hook.SSDT)] NtEnumerateKey[71] : C:\RegHider.sys @ 0xf8ddd480
[SSDT:Addr(Hook.SSDT)] NtEnumerateValueKey[73] : C:\RegHider.sys @ 0xf8ddd406
[SSDT:Addr(Hook.SSDT)] NtLoadKey[98] : Unknown @ 0xf8d76f02
[Table type:Hook type(Detection name)] Function name[Index in table] : Detour module path @ Detour function address
 
Kernel filters:
[Filter(Root.Filter)] \Driver\atapi @ \Device\Harddisk0\DR0 : \Driver\atapi @ Unknown (atapi.sys)
[Filter(Kernel.Filter)] \Driver\disk @ Unknown : \Driver\malware_driver @ \Device\malware_device (\SystemRoot\system32\DRIVERS\malware.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ Unknown : \Driver\keylog @ \Device\keylogdev (\SystemRoot\system32\DRIVERS\keylogger.sys)
[Filter(Detection name)] Driver name @ Device name : Detour driver name @ Detour device name (Detour module path)
 
IRP hooks:
[IRP:Addr(Hook.IRP)] atapi.sys – DriverStartIo[28] : \SystemRoot\system32\DRIVERS\atapi_hook.sys@ 0x817fe31b
[IRP:Hook type(Detection name)] Driver module name – IRP name[IRP index] : Detour module path @ Detour function address

 

MBR

The MBR displays information about the Master Boot Record (MBR) of the machine. This is the very first sector on the hard drive, which contains both information about the size/location of partitions and a bootstrap code, which permits to launch the operating system of a bootable disk.

Some malware known as Bootkits, like TDSS, MaxSST or Stoned modify either the code (bootstrap) to launch their own modules, or the partition table to boot on a fake partition and and start their modules before the operating system starts (and the antivirus protection!).

RogueKiller allows to detect and remove bootkits, even when they try to hide themselves.
Some hints can show that a MBR is legit: The bootstrap is known, and legit. Then, the different attempts to read the MBR (at different levels) return the same results (this means the MBR is not hidden).

  • Here’s an example of clean MBR. The bootstrap (BSP) is legit (Windows XP), and the User read, LL1 and LL2 return the same things.
¤¤¤ MBR Verif: ¤¤¤+++++ PhysicalDrive0: VBOX HARDDISK +++++
— User —
[MBR] c708b764ca9daa4f8f33e4e8b3b517da
[BSP] f4eb87199eee8a432bb482bb55118447 : Windows XP MBR Code
Partition table:
0 – [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 4086 Mo
User = LL1 … OK!
User = LL2 … OK!
  • Here’s an example with infectious MBR. The bootstrap (BSP) is legit (Windows 7), but the LL1 method returns something different. Finally, there is a ghost partition hidden by a rootkit (MaxSST).
¤¤¤ MBR Verif: ¤¤¤+++++ PhysicalDrive0: Hitachi HDS721032CLA362 +++++
— User —
[MBR] a1e2c1a0c1fb3db806dcbb65fdbf8384
[BSP] 0dc0d942fc9152dc059c7e021d2ad3db : Windows 7 MBR Code
Partition table:
0 – [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 – [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 305129 Mo
User != LL1 … KO!
— LL1 —
[MBR] 501fcd9f60449033a7b892d424337896
[BSP] 0dc0d942fc9152dc059c7e021d2ad3db : Windows 7 MBR Code [possible maxSST in 2!]
Partition table:
0 – [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 – [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 305129 Mo
2 – [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625113088 | Size: 10 Mo
  • Here’s another example of infectious MBR. The bootstrap (BSP) is infected with MaxSS.t.
¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: ST9500325AS +++++
— User —
[MBR] 318e94ac5cf893f8e2ed0643494e740e
[BSP] 07a9005ccf77d28c668138e4d4a42d65 : MaxSS MBR Code!
Partition table:
0 – [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 2048 | Size: 13000 Mo
1 – [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 26626048 | Size: 119235 Mo
2 – [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 270819328 | Size: 344703 Mo
User = LL1 … OK!
User = LL2 … OK!

When a MBR is infected, it is possible to restore it by checking the corresponding line in MBR tab.

+++++ PhysicalDrive0: VBOX HARDDISK +++++ [Physical drive number, Drive name]
— User — [Type of MBR reading (User, LL1, LL2)]
[MBR] c708b764ca9daa4f8f33e4e8b3b517da [MBR hash (MD5)]
[BSP] f4eb87199eee8a432bb482bb55118447 : Windows XP MBR Code [Bootstrap hash (MD5), Bootstrap detection name]
Partition table: [Partition table list]
0 – [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 4086 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
[[Partition status (ACTIVE or not)] Format (Format number) [Visible or Hidden) Offset in sectors on hard drive | Size in MB] [Bootstrap detection name, Bootloader detection name]
User = LL1 … OK [User = LL1 means both method returned the same MBR, this is expected]
User = LL2 … OK [User = LL2 means both method returned the same MBR, this is expected]

 

WEB BROWSERS

RogueKiller can inspect web browsers configuration and addons.

Configuration lines are shown only if they are malware or suspicious, while all addons are displayed. Regarding the addons, only the malware addons are shown in the text report, or those you chose to remove.

Important: It’s very important to understand that all addons listed are not necessarily malware, you are not supposed to check them all and remove, please look at the detection colors and vendor names.

 
Config:
[PUM.Proxy][FIREFX:Config] 7n6s6tn6.default : user_pref(“network.proxy.http”, “127.0.0.1”); -> FOUND
[PUM.Proxy][FIREFX:Config] 7n6s6tn6.default : user_pref(“network.proxy.http_port”, 1045); -> FOUND
[PUM.Proxy][FIREFX:Config] 7n6s6tn6.default : user_pref(“network.proxy.type”, 1); -> FOUND
[Detection name][Web Browser:Type] User : Config line -> Status
 
Addons:
[PUP][IE:Addon] System : MixiDJ V30 Toolbar [{1122b43d-30ee-403f-9bfa-3cc99b0caddd}] -> FOUND
[Detection name][Web Browser:Type] User : Addon name [Addon ID] -> Status

 

HONEY MODULE

RogueKiller is able to read Windows hives in Offline mode, as well as disinfect startup folders:

  1. Clean an operating system located on an external hard drive (other than system hard drive).
  2. Clean a machine started from a live CD (ex: OTLPE)

This can be useful when a rootkit hides/protects its registry keys, or when a PC is locked by a ransomware.

Here’s a demonstration of the PE mode on a PC infected with the malware Urausy, and started with live CD OTLPE:
[youtube id=”w55mDdgyk_s” width=”100%” height=”400″ position=”left”]

 

COMMAND LINE (Premium Only)

To automate and provide easier deployment on desktops, RogueKiller provides a command line interface. Here’s the list of available commands:
Those parameters are all independent (do not forget the ‘-‘ character).

-autoscan (automatic launch after prescan)
-autoaccepteula (automatic accept of EULA, this means you already read it and agree with)
-autodelete (automatic deletion. Everything is checked, except Proxy, DNS, Host. Same as delete button click)
-noremove (ignore detections. Drops all detections at the end of the scan)
-nodriver (available in free version) (no driver loading, so no rootkit search in kernel)
-nopop (available in free version) (Remove any website opening, for completely silent run)
-nothirdparty (available in free version) (Remove any third party call, in case of infection restarting with process launch)
-showlegithooks (Show legit hooks that are normally hidden)
-register [email] [key] (Register with your Premium license Id/Key)
-portable-license [path_to_portable_file] (Technician Premium only, specifies where is the portable license file)
-pupismalware (specifies that all PUPs detections will be treated as malware)
-pumismalware (specifies that all PUMs detections will be treated as malware)
-autoupdate (do not ask when a version is outdated, and download it directly if updater is present)
-externalrules [path_to_rules_file_folder] (load rules file/folder in external scanner, see here.)
-reportpath [path_to_log_file] (available in free version) (specify a location where to save the scan report)
-reportformat [txt|json|html] (choose a report format from the given list: either txt, json or html. Default is json)
-vtupload [yes|no] (force answer for VirusTotal upload)

 

EXTERNAL SCANNER

External Scanner allows to load custom detection rules into RogueKiller engine.
Please refer to the dedicated page.