Apps

RogueKiller scans systems for rootkits, registry issues, and more

RogueKiller is better at resolving registry issues than CCleaner, according to Jack Wallen. Learn how to use this supplemental defense against malicious software.

RogueKiller was a command-line only application for quite some time; thankfully, the app's developer listened to users who said they preferred GUI apps and created a GUI front end that any admin can easily begin using on their company systems. The development of this GUI tool makes RogueKiller a perfect portable app, so you don't have to bother with installation. (Note: The RogueKiller site is in French.)

RogueKiller will check for rootkits, rogue processes, rogue Registry entries, rogue or untrusted drivers, and Master Boot Record (MBR) issues. RogueKiller can restore a Host file, delete any Proxy entries, and repair shortcut problems.

Caution: This is not a replacement for an antivirus or an anti-malware tool. Also, RogueKiller is not a tool that anyone can fire up and start pointing and clicking their way to a healthy PC. You need to use common sense when using RogueKiller; if you don't, you could delete a Registry entry that shouldn't be deleted.

Using RogueKiller

Download the RogueKiller executable file and slap it on your flash drive. To run a scan, close all running applications, open RogueKiller, and click the Scan button. Within 2-5 minutes, you should see the scan's results (Figure A). Figure A

A PC's registry issues are resolved. (Click the image to enlarge.)

After you run the scan, check each tab to see if any issues are present. If there is an issue, click the associated button to the right of the application. After you click an action button, RogueKiller will go through another scan, and the problem should not appear. I find RogueKiller is superior to CCleaner for getting rid of registry issues.

Once the scan is complete, click the Report button to see a full report of what RogueKiller has found; this piece of this report will appear in the individual tabs on the main window. The actions you take next depend upon what RogueKiller finds. For example:

  • If RogueKiller finds rogue Registry entries, you can delete them by clicking the Registry tab and clicking the Delete button. Please look over each registry entry before deleting it to avoid accidentally deleting a false positive.
  • If there are any rogue processes, click the Delete button.
  • If you find any entries in the Host file (RogueKiller will display the contents of the Host file), you can delete all but the localhost entry by clicking the Hosts tab and then clicking the Fix Host button.
  • Click the Proxy tab and, if there are any proxy configurations that do not belong, click the Fix Proxy button.
  • If your system is hit with a FakeHDD attack that renders your shortcuts unusable, click the Fix Shortcuts button to resolve this issue.
Note: With the DNS, Hosts, and Proxy tabs, what RogueKiller finds may not be an issue; it is imperative that you look over anything it finds before you delete it.

The Driver tab will display hooks made into the Windows kernel. If some of the System Service Descriptor Table (SSDT) indexes are reported as malware, the original index can be restored by left-clicking the rogue entry in the Drivers tab and selecting Restore SSDT. SSDT is used by the Windows kernel when dispatching system calls. You have to be careful with this -- make sure you know it is safe to restore an original index on the system in question; it is possible to restore a driver to the original index and wind up with an unstable system. To be safe, if you plan on using this feature, create a restore point before moving forward.

If RogueKiller finds issues with your MPR, you can have the tool repair it by clicking the MBR tab and then clicking the Fix MBR button (Figure B). Figure B

If your machine has multiple drives, select the drive housing the MBR. (Click the image to enlarge.)

You will need to fully understand this issue before you use RogueKiller. However, if the app turns up an issue with your MBR and the Fix MBR button is available, your best bet is to allow RogueKiller to fix the issue.

Bottom line

If you're looking for a supplemental defense against malicious software, and you have a solid understanding of your system, RogueKiller is a great tool. Even if you don't use RogueKiller for its ability to repair the MBR, restore drivers, or repair the host file, DNS, or Proxy issues, the Fix Shortcuts feature alone is worth your time.

Give RogueKiller a try. It's donation ware, so it won't break your bank.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

36 comments
tigerraptor
tigerraptor

hi after 2 frustrating weeks of knowing i had a trojan rootkit in my system 32 drivers folder. the only program that identified it was avira free version. [SERVICE][Root.Necurs] HKLM\[...]\CS002\[...]\Services : ab5d6aa95be3de1 (C:\WINDOWS\system32\ab5d6aa95be3de1.sys [x]) -> DELETED


but avira and malwarebytes couldn't fix or delete the file. i ran this program not only did it remove it . it flagged up 4 other hosts who were causing my system to crash and install malware. 



¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts



127.0.0.1localhost

127.0.0.1www.007guard.com

127.0.0.1007guard.com

127.0.0.1008i.com

127.0.0.1www.008k.com

127.0.0.1008k.com

127.0.0.1www.00hq.com

127.0.0.100hq.com

127.0.0.1010402.com

127.0.0.1www.032439.com

127.0.0.1032439.com

127.0.0.1www.0scan.com

127.0.0.10scan.com

127.0.0.11000gratisproben.com

127.0.0.1www.1000gratisproben.com

127.0.0.11001namen.com

127.0.0.1www.1001namen.com

127.0.0.1100888290cs.com

127.0.0.1www.100888290cs.com

127.0.0.1www.100sexlinks.com

[...]

this roguekiller has solved it in 5 minutes. im not an expert but hey it worked for me 

jconger42
jconger42

Right now Rogue Killer is our choice to fix malware issues. Is there a way to run this program in some type command-line/stealth mode so that we can scan a group of computers for potential unknown infections(malware, spyware, key-loggers...etc) All we would need is the Scan report. If detected then we can access the Windows desktop directly and repair as needed.

ceajay.chattin
ceajay.chattin

Download is bad, 'RogueKiller.exe isn't a valid win32 executable file' on XP Pro, Windows 7 Professional 64 and 32 bit.

JayyVee
JayyVee

This tool is a life saver when malware programs such as symantec continue to let you down and not only let malware through but can't remove them or fully identify the full breadth of infection. This tool has save me hours of time combatting malware/virus intrusions on PC's, is easy to use - and if you find this 'too hard' to use, maybe you should take the time to 'Learn' something that might actually do you some good and protect you and your data in the future. The real answer across the board in almost every corporate office out there, is USER education - until that happens, carry a biiig band-aid.. Rogue-Killer works.

jlwallen
jlwallen

I should have mentioned that I did run a scan on the RogueKiller file with both SEP and Clamwin before I tested it myself. Neither product found an issue with the file (had they, I wouldn't have written about it ;-) ).

walkingcougar2005
walkingcougar2005

I have tried to run this application twice and both times got a BSOD.

normpritchett
normpritchett

Websense has identified this as a malicious site and is blocking us from downloading it. I suspect the executable is fine and non-malicious, but I would not be surprised if the software's author attracted the attention of some malware write who decided to get even and trash his web site.

Datacommguy
Datacommguy

McAfee's Siteadvisor blocks access to this site as "Dangerous", and if you overrride the block, it claims that the download contains "spyware or malicious code". I think I'll pass.....

Jaytmoon
Jaytmoon

Once dl'd Norton detects an "issue" with this file using it's reputation based scan. I hope it is a false positive.

janakee
janakee

The French should be no problem at. Just use Google translate to get a English or almost any other language rendering of website.

Ctravis
Ctravis

The RogueKiller redirection site come ups witha 100/100 as Malicious by zulu.zscaler.com

scav8tor
scav8tor

How can you expect to trust an application site that is only in French? I have no intention of downloading software that I can't read about before I download and install.

hleveque
hleveque

Do any Microsoft heavyweights recommend cleaning the registry at all? All my reading is that they do not, they say the registry does not need cleaning and you only stand to cripple the computer instead of accomplishing anything positive. Since you recommend this prog to clean the registry, I assume you are aware of all this. Please provide links to MS sources that recommend cleaning the registry.

deirdre
deirdre

Falsely stopped Tivo Desktop software processes and doesn't let you exclude false positives from being stopped in the future. The program needs this facility.

oldleftwinger
oldleftwinger

This is a great little program. I have used it on a few machines and it does a wonderful job and is easy to use. My only complaint seems to be that if you turn off notifications for firewall, virus protection and automatic updates to stop the little pop-ups then these show up as rouge programs and the rogue killer turns them back on. Just a small pain in the butt. dave

Pertinax2
Pertinax2

Some of us don't have flash drives. Can it run from the hard drive, a CD, or a memory stick instead ?

lehnerus2000
lehnerus2000

Seems like it might be useful. I don't like the non-resizable window though.

bboyd
bboyd

Looks like a good product other than a higher expertise being necessary.

Tigzy
Tigzy

Hello On which OS? Why don't send a feedback report? I got a support email you know ;)

R.C.D.
R.C.D.

My reply to Datacommguy on his McAfee false positive that is. Just read where I put McAfee and replace with Websense.

Gisabun
Gisabun

Someone still uses McAfee? Intel's biggest mistake - buying them.

Tigzy
Tigzy

It's normail Lots of AV vendors don't like antimalware tools due to their powerful features

R.C.D.
R.C.D.

As McAfee protects you about as much as Norton, it's not a surprise. You can use VirusTotal to scan the URL, coming up completely clean. My Kaspersky doesn't make a peep when visiting the URL. I would also put money on you uninstalling McAfee, reinstalling a real virus/malware scanner and you will find at least one bug on your "protected with McAfee" machine. If you take a look at Jotti's malware scan you can see that McAfee, along with Websense in the post below you are not listed as they can't find squat.

TraineeMonkee
TraineeMonkee

I've seen Norton's reputation scanner reccomend against Norton / Symantec signed files. It's a crock of baloney, like their 'Fake AV' scamming tactics. If you really want to scan it, upload it to virustotal or Jotti's malware scan.

AstroCreep
AstroCreep

I understand the skepticism, but just because it's not in your native language doesn't mean it isn't legit. Just use a web translation service; there are so many of them out there. Most search engines (Google and Bing, at least) have translation services which will translate full websites.

TraineeMonkee
TraineeMonkee

" I find RogueKiller is superior to CCleaner for getting rid of registry issues." What 'registry issues' would those be? And the two programs have completely different aims AFAIK. Bizarre statement... Yeah, hleveque, Mark Russinovich addressed that, he reckoned NOT necessary to run registry cleaners / optimisers. I think this Roguekiller is just looking at autorun locations and installed services etc, so not really a registry cleaner as such, more general anti-malware

Tigzy
Tigzy

...by email :)

jlwallen
jlwallen

This tool can run from a hard drive (just copy the .exe to the drive) or from a memory stick. As for the CD -- it should.

Datacommguy
Datacommguy

I've had my share of problems with multiple commercial anti-malware programs which either detected false positives (McAfee's quarantine of XP's svchost.exe comes to mind) or claiming they found something but were unable to do anything about it. And Websense which blocked the local newpaper site for a while. For RogueKiller, WOT did not flag the site, and a scan of the downloaded program by MBAM and MSE and Norton found it clean. That said, I tend to err on the conservative side, and the BSOD report below is not comforting. I probably will, however, keep it around for worst case problems where nothing else has worked.

Gisabun
Gisabun

I use Symantec and I regularly check my system with Malwarebytes Anti-Malware as well as Spybot. Both never found something that Symantec missed. You seem to be biased. On the other hand McAfee is a big piece of doo-doo.

AnsuGisalas
AnsuGisalas

but nobody should use". Norton and McAfee will tie for first place of overhyped uselessness.

Jaytmoon
Jaytmoon

"If you really want to scan it, upload it to virustotal or Jotti's malware scan." I'll Laugh when you system is infected because you already dl'd the file before doing a scan of any type. kinda like asking the bullitt to stop once the gun is fired!

hleveque
hleveque

I wish the "experts" would quit ducking this basic question. Makes ya wonder...

jred
jred

Just downloading the file doesn't do anything. You need to execute it. I suppose if you've got windows configured to autorun, you save it to a flash drive, remove the drive & reinsert it, then you could be automagically infected. Then again, I've seen a user open an email "from themself", download an attachment they supposedly sent themself, unzip said attachment, which luckily they included the zip password in their email, and execute the file they had no recollection of. Just downloading the file is more like loading a bullet into the gun. It has the potential to fire, but it doesn't fire itself, you need to pull the trigger.

Editor's Picks