RogueKiller Changelog

New in version 10.8.7.0

June 29th, 2015
  • Removed AV.Killer definition (too many FPs)
  • Fixed a bug in mstring module, leading to infinite loop in certain circumstances
  • Now tasks scanner scans arguments too
  • Added detections

New in version 10.8.6.0 (June 22nd, 2015)

  • Adjusted AV.Killer definition

New in version 10.8.5.0 (June 22nd, 2015)

  • Added detections
  • NEW! External Scanner
  • Fixed a bug in Process Scanner
  • Fixed a bug in File Search
  • Fixed a bug in Registry Scanner
  • Now process paths are expanded
  • Fixed a bug in VT module
  • Fixed a bug in -autoscan

New in version 10.8.4.0 (June 16th, 2015)

  • Added Skype to exclusions for RunPE detections

New in version 10.8.3.0 (June 15th, 2015)

  • Added detections
  • NEW! RunPE heuristic detection
  • (Premium) Removed Paypal/Premium images
  • Refactored settings form
  • NEW! (Premium) - autoupdate command line parameter + setting
  • Updated translations
  • Fixed a bug in VT module
  • Fixed a bug in WebServer (Not starting sometimes)

New in version 10.8.2.0 (June 9th, 2015)

  • Using Licensing 2.0
  • Added detections

New in version 10.8.1.0 (June 3rd, 2015)

  • Fixed a bug in Licensing
  • Fixed a bug in VirusTotal module
  • Now portable license generated file is read-only
  • Added GUI indicators when using portable license
  • Added detections
  • Extension checker optimizations

New in version 10.8.0.0 (June 1st, 2015)

  • Updated database
  • Fixed a bug in reporting
  • Disabled PUM.DesktopIcons (too confusing, and not critical)
  • Disabled PUM.Orphan (too confusing, not critical)
  • Better unit testing
  • Initialization optimizations
  • Updated translations
  • NEW! (Premium) Web service
  • NEW! Web service /info url (get version info)
  • NEW! Web service /scan/new url (start new scan)
  • NEW! Web service /scan/status url (get scan status)
  • NEW! Web service /report/last url (get last report)
  • NEW! (Premium) -pupismalware command line parameter + setting
  • NEW! (Premium) -pumismalware command line parameter + setting
  • Reverted portable fixed location in rk_config.ini
  • Fixed error message when too many instances
  • Setup now adds RogueKiller bin folder to %PATH%
  • Updated userland certificate
  • NEW! Promotional nag.

New in version 10.7.0.0 (May 25th, 2015)

  • New configuration module, not compatible with old one. Able to use read-only medium for portable license.
  • NEW! no more rk_config.ini for technician license.
  • NEW! command line parameter: -portable-license
  • Updated languages

New in version 10.6.5.0 (May 20th, 2015)

  • Fixed a bug with KnownDLLs detection when value name starts with underscore (_)

New in version 10.6.4.0 (May 18th, 2015)

  • NEW! Preferred language is now saved
  • Added detections
  • Fixed processes scan aggressiveness
  • NEW! Logo can now be rebranded
  • Fixed a bug in Extensions Checked
  • Fixed a bug in CLSID scanner
  • Fixed Orphan detection level + vendor name => PUM.Orphan
  • Fixed License fallback state
  • Added new autostart locations
  • Added Transfert progressbar

New in version 10.6.3.0 (May 18th, 2015)

  • Added detections
  • Fixed a bug in File Search module
  • Increased feed rotation time
  • Better UI information
  • Deactivated VT IP scan (too many FPs)

New in version 10.6.2.0 (May 4th, 2015)

  • NEW! Breaking news banner
  • External libs update + optimizations (Zlib, SQLite, udis86)
  • Fixed a bug in Tab navigation

New in version 10.6.1.0 (April 27th, 2015)

  • Now VT file scan has minimum/maximum size
  • Refactored PUP/PUM classification to be clearer and more consistent
  • Fixed VT file scanner scanning LNK files instead of target
  • Now VT unknown s classified as PUP
  • Now VT cache has outdated date (fixed to 5 days)
  • Now VT scanner rescans pending items at initialization
  • Added detections

New in version 10.6.0.0 (April 20th, 2015)

  • Added detections
  • Moved version check before Prescan
  • Fixed a bug in IAT scanner, where call stack was not recorded correctly
  • Fixed a bug in IAT scanner, where unknown module was not displayed
  • Fixed a bug in RogueKiller OLD GUI, where config file was not read properly
  • Fixed ShowLegitHooks command/setting
  • Fixed slow UI when a lot of entries are added to a table
  • Fixed a bad items insertion when sorting was enabled
  • Fixed a bug in MBR (GPT) module
  • Fixed missing Premium info when internet access is broken
  • Fixed a bug in libcurl library (X64)
  • Added new method to detect IAT inline hooks
  • New:
  • VT Scan on registry, tasks, files, mbr, web browsers and antirootkit scans.
  • VT scan no more in beta
  • VT scan now scans all processes
  • VT scan has local caching

New in version 10.5.10.0 (April 14th, 2015)

  • Added detections
  • Now can register Premium with command line parameter: -register
  • Now displays remaining activations for Premium
  • All communications are now using SSL (HTTPS)
  • RogueKillerCMD: Added better colors
  • RogueKillerCMD: Now can recognize RogueKiller's command line parameters

New in version 10.5.9.0 (April 7th, 2015)

  • Added detections
  • Now logs are sorted by date
  • Now can attach last log even if a scan was not performed in the same session
  • Fixed a bug where registration form cannot upload last report
  • Removed Post Delete message asking for Premium buying when a user is already registered
  • Now file scanner shows unscanned files (for progression), so that software doesn't give an impress of being stuck

New in version 10.5.8.0 (March 30th, 2015)

  • Added detections
  • Fixed a bug where config isn't reset after removing the license.
  • Fixed NoPop configuration bug
  • Added all command line parameters in Settings
  • Updated translations
  • Now registration Id/Key are trimmed to avoid copying/writing spaces before/after them (and have wrong key error message)
  • Fixed updater now recognizing License on Windows 8 (now needs admin rights to be launched).
  • Updated EULA to reflect VirusTotal integration rules.

New in version 10.5.7.0 (March 23rd, 2015)

  • Fixed a crash when starting the application

New in version 10.5.6.0 (March 23rd, 2015)

  • Added detections
  • Fixed bug forbidding technician licenses to use command line
  • Added Persian translation
  • Fixed a possible hang on service termination
  • Added progress text on progressbar during the scan
  • NEW! VT scan on Processes (beta, only premium, disabled by default)
  • NEW! VT scan on Services (beta, only premium, disabled by default)
  • RogueKillerCMD : removed tutorial opening in case of an infection

New in version 10.5.5.0 (March 16th, 2015)

  • Added detections
  • PREMIUM: Added more settings options
  • Unhidden premium options, added Nag message
  • Updated translations
  • Moved Scan choices to settings

New in version 10.5.4.0 (March 12th, 2015)

  • Added detections
  • Added credits for translators (About)
  • Now service scanner is aware of ServiceDll path
  • Updated translations
  • Now Premium registration email is trimmed (remove spaces before and after the email)

New in version 10.5.3.0 (March 10th, 2015)

  • Fixed a bug in Path module where all shortened path were not properly expanded (Ex: LogMe~ => LogMeIn Rescue Applet)

New in version 10.5.2.0 (March 9th, 2015)

  • PREMIUM: Technician License can now use portable config file
  • Added Premium logo
  • Fixed a bug when opening website

New in version 10.5.1.0 (March 5th, 2015)

  • Using new licensing system
  • Added detections

New in version 10.5.0.0 (March 2nd, 2015)

  • NEW! Now RogueKiller is available with an installer
  • PREMIUM: Separate updater
  • PREMIUM: Trial of 30 days per machine
  • Added detections
  • Fixed a crash in jansson library

New in version 10.4.3.0 (February 23rd, 2015)

  • Added detections

New in version 10.4.2.0 (February 23rd, 2015)

  • Added detections

New in version 10.4.1.0 (February 19th, 2015)

  • Added detections

New in version 10.4.0.0 (February 18th, 2015)

  • Uniformization of whitelists/blacklists (we dropped a lot of detections, this can lead to false positives... but they will be fixed as people report them)
  • Fixed a bug in LNK signature detection
  • Fixed a buf in Time module
  • NEW! Better CLSID scanner
  • NEW! Now MBR scanner is EFI compatible
  • Updated italian translation
  • Fixed a bug in Path module

New in version 10.3.0.0 (February 16th, 2015)

  • Added detections
  • New command line flag: -showlegithooks (Shows legit hooks that are normally hidden)
  • Big improvements in the IAT hooks engine; Preparation of refactoring for the kernel hooks.
  • Big improvements in Extension Checker module
  • Arabic translation
  • Updated translations
  • Updated Yara engine to 3.3

New in version 10.2.0.0 (January 19th, 2015)

  • Added detections
  • Updated Italian translation
  • Added German translation
  • Added Chinese traditional translation
  • Fixed a bug in Registry scanner where .DEFAULT hive is not scanned
  • Added MBR signature for FinFisher
  • Added MBR signature for TDL4
  • Added MBR signature for Rovnix
  • Fixed some bugs in MBR scanner
  • Improved low level disk access library
  • Added VBR (Volume Boot Record) scanner

New in version 10.1.2.0 (January 6th, 2015)

  • Added detections
  • Updated Spanish translation
  • Added Italian translation
  • Added hook signatures engine

New in version 10.1.1.0 (December 23rd, 2014)

  • Added Dutch translation
  • Added Italian translation
  • Added sanity check for website opening

New in version 10.1.0.0 (December 11th, 2014)

  • Added detections
  • Fixed mbamservice false positive

New in version 10.0.9.0 (December 8th, 2014)

  • Fixed Xpaj false positive with DiskCryptor MBR
  • Added DiskCryptor MBR signature
  • Added detections
  • TrueSight 1.0.4: Better shellcode module detection
  • IAT Hooks: Better shellcode module detection

New in version 10.0.8.0 (November 20th, 2014)

  • Added detections
  • Fixed bug of processes not killed
  • Now process memory is scanned before path scan

New in version 10.0.7.0 (November 20th, 2014)

  • Now process pages are scanned for whitelist
  • Updated Yara engine
  • Added detections
  • Reverted some command line to free version: -nodriver -nokill -nopop -nothirdparty

New in version 10.0.6.0 (November 13th, 2014)

  • Fixed a bug in Process module (not enough rights to get process path)
  • Fixed a bug in AV whitelist detection
  • Added detections

New in version 10.0.5.0 (November 11th, 2014)

  • Now AV processes are whitelisted
  • Added language separator for "Your language here"
  • Added Injected process heuristic detection
  • Fixed bad Zeus signature
  • More aggressive against Poweliks processes
  • Added detections
  • Updated links

New in version 10.0.4.0 (October 29th, 2014)

  • Added link to translations in language menu
  • Added Delay IAT in PE module
  • Added Delay IAT hooks in antirootkit
  • Now IAT hooks are printed to UI as they are scanned
  • Removed ctfmon from sensitive processes
  • Now detects Zeus variants
  • Now informative texts are not elided
  • Better choices (currency/amount) for Paypal form
  • Removed unused resources
  • Improvements in quarantine module
  • Now DNS entries show country IP in text report
  • PREMIUM: Added quarantine handler
  • Added detections

New in version 10.0.3.0 (October 22nd, 2014)

  • New user-agent: Now sends extended vendor names for real time monitoring
  • Added detections

New in version 10.0.2.0 (October 16th, 2014)

  • Added detection of services hidden from SCM and from registry
  • Dropped command line support in free version
  • Removed EAT hooks (useless)
  • Improved IAT hooks scanner (now scans all modules instead of main module)
  • Fixed a bug in driver library (driver could not load under certain circumstances)
  • Added Czech translation
  • Added tooltip with detection level (for colorblind people)
  • Added detections

New in version 10.0.1.0 (October 10th, 2014)

  • Improvements in Process library
  • Added COM integrity check to disable COM calls when server is corrupted (Poweliks)
  • Fixed Poweliks rule
  • Added detections
  • Fixed Bug in registry module
  • Fixed a bug in logging

New in version 10.0.0.0 (October 8th, 2014)

  • Major UI changes
  • Added support for future Premium version
  • Added support for ShellIconOverlayIdentifiers and ShellServiceObjectDelayLoad keys
  • Now CLSIDs are scanned for path and memory
  • Added detections

New in version 9.3.0.0 (October 6th, 2014)

  • New Rules engine. Easier to maintain, more robust.
  • Fixed a lot of bugs in Scanner engines.
  • Added detections

New in version 9.2.13.0 (September 25th, 2014)

  • Fixed a bug in registry module introduced in 9.2.12
  • Fixed a bug in process engine that forbids svchost processes to be killed
  • Added detections

New in version 9.2.12.0 (September 25th, 2014)

  • TrueSight: 1.0.3: Fixed a Kernel stack overflow leading to a BSoD
  • Better handling of multistring registry value/key names (ZeroAccess/Poweliks)
  • Added Poweliks detections
  • Added detections

New in version 9.2.11.0 (September 18th, 2014)

  • Added detection to new Poweliks variant
  • Fixed a bug of infinite wait when COM objects are broken

New in version 9.2.10.0 (September 9th, 2014)

  • Fixed a bug in Yara scanner
  • Fixed a bug in language module
  • Fixed a crash dump uploader (due to surlatoile.org move to https)
  • Added service binary path in report

New in version 9.2.9.0 (September 1st, 2014)

  • Updated Yara to 3.1.0
  • Added detections
  • Firefox PUM.HomePage is using domain whitelist

New in version 9.2.8.0 (August 16th, 2014)

  • Added detections

New in version 9.2.7.0 (August 16th, 2014)

  • Added scan of Search Page/Start Page for Internet Explorer
  • Added scan of Start Page for Firefox
  • TrueSight 1.0.2: Process Kill
  • TrueSight 1.0.2: Registry key Kill
  • TrueSight 1.0.2: File Kill
  • RogueKiller: Implementation of new Truesight features
  • RogueKillerCMD: Implementation of new Truesight features

New in version 9.2.6.0 (August 7th, 2014)

  • Removed a ZeroAccess false detection
  • Fixed a bug in registry module (introduced in 9.2.5)

New in version 9.2.5.0 (August 7th, 2014)

  • Fixed a bug in registry module (poweliks/zeroaccess trick)
  • Fixed a bug in command line parsing
  • RogueKillerCMD: Added registry value/subkey removal by index
  • Added detections

New in version 9.2.4.0 (July 25th, 2014)

  • Added detections
  • Added Key present rule
  • Added Value data rule
  • Updated Yara
  • Fixed a bug in file search module
  • Fixed a bug in honey file module
  • Fixed string limit in path module
  • RogueKillerCMD: Registry Kill

New in version 9.2.3.0 (July 14th, 2014)

  • Fixed a bug in file module
  • Added detections

New in version 9.2.2.0 (July 11th, 2014)

  • Fixed a bug in task scanner
  • Fixed a bug in path parser
  • Fixed a bug in registry module
  • Fixed a bug in install module
  • Unknown MBRs are dumped in %programdata%/RogueKiller/Debug
  • Added detections

New in version 9.2.1.0 (July 9th, 2014)

  • Fixed a bug in logging
  • Fixed unicode hosts file read/write
  • Fixed empty hosts lines scan
  • Truesight 1.0.1
  • Truesight now suspends TDL4 threads before MBR fix
  • Removed debug messages from Truesight
  • Fixed pcalua detection in task scanner
  • Added links

New in version 9.2.0.0 (July 7th, 2014)

  • Truesight 1.0 (no more in beta)
  • Truesight loads in X64
  • Truesight rewriten from scratch (increased stability, code compatibility)
  • Truesight now detects Filters (regular, reverse)
  • Added detections
  • Added translations
  • Fixed regression about vendor url opening
  • Fixed bug about duplicate registry entries on x86

New in version 9.1.0.0 (June 23rd, 2014)

  • Added detections
  • Fixed a problem of ProgramFiles/ProgramFilesX86/ProgrameFilesW6432 var env parsing
  • Binaries are now digitally signed.
  • updated translations

New in version 9.0.3.0 (June 17th, 2014)

  • Fixed encoding bug in quarantine handler
  • Fixed crash window opening when no dump is available
  • Fixed duplicated files in common startup folder on XP
  • Detection of WinPE. Now LivePE/LiveUSB scan is faster and more accurate.
  • Fixed reboot query
  • Improved replacement method
  • Fixed DNS whitelisting
  • Added Zekos signatures
  • Now file replacement engine looks for same file version before replacing.
  • Fixed a bug in startup honey module
  • Fixed a bug in mbr module

New in version 9.0.2.0 (June 4th, 2014)

  • Fixed a bug in registry scanner
  • Fixed a bug in Buffer lib
  • Added chrome extensions removal
  • Fixed service repair
  • Added single instance mutex
  • Fixed a bug when trying to quit
  • Added detections
  • Added Necurs link
  • Added pathparser special rules (rundll32, wscript)
  • Fixed a bug in file parsing
  • Fixed a bug in Honey module

New in version 9.0.1.0 (June 2nd, 2014)

  • Fixed a bug in logging
  • Fixed a bug in File lib
  • Fixed a bug in GUI
  • Optimizations in String parser
  • Added detections
  • Fixed a bug in addons detection
  • Fixed a bug in forged file detection
  • Fixed a bug in service scanner
  • Now malware hooks are Orange

New in version 9.0.0.0 (May 29th, 2014)

  • Fixed bugs

New in version 9.0.0.0 Beta 3 (May 29th, 2014)

  • CLI commands -nodriver -autoscan -autodelete -autoquit -autoeula -hideui
  • Added detections
  • Fixed EULA
  • Added service repair
  • Added check for updates
  • Changed driver icon
  • Added reboot notification
  • Added pending detections notification on quit

New in version 9.0.0.0 Beta 2 (May 29th, 2014)

  • Fixed a bug in MBR log
  • Fixed a bug in Service log
  • Fixed a bug in log (RTL characters removed, ZeroAccess)
  • Replaced SUSP PATH label by Suspicious.Path
  • Removed Chrome.exe IAT/EAT scan
  • Fixed 3 bugs in IEAT/EAT display (process is displayed / legit entries are hidden / fixed size of function in console display)
  • Now suspicious services registry keys are not prechecked (to avoid confusion with true malware)
  • Disabled Forged files removal (except if contains malware signature), due to some false positives
  • Fixed a bug in Registry subkey removal (ZeroAccess)
  • Fixed a bug in File replacement (added ACL copy before replace, Zekos)
  • Fixed a bug in ListView sorting (was too slow)
  • Added detections

New in version 9.0.0.0 Beta 1 (May 29th, 2014)

  • Added crash handler window
  • Reports are now translated
  • Added missing translations
  • Added hover event for Facebook / Paypal links
  • Added fancy Facebook button
  • Replaced old icons by high res icons
  • Added detections
  • Fixed a bug in ComManager

New in version 9.0.0.0 Alpha 5 (May 29th, 2014)

  • Brand new high res icon!
  • Now sending statistics to adlice.com webserver database
  • PUM color detection is now Dark Gray
  • Added web browser scan
  • Added stop button (during scan only)

New in version 9.0.0.0 Alpha 4 (May 29th, 2014)

  • Added context menu select/unselect all
  • replaced old MBR display by a listview
  • added MBR scan
  • fixed carriage return bug in reports
  • fixed bad driver decryption
  • added Hooks scanner

New in version 9.0.0.0 Alpha 3 (May 29th, 2014)

  • Fixed a bug when exiting with file menu
  • Added hosts fix button (hosts tab)
  • Fixed window names bug (massive false positive)
  • Added true version number comparison for version checker
  • Fixed elided text bug
  • Added report footer
  • Now general progressbar is used as progression
  • Now displays fine progression
  • Added file scanner

New in version 9.0.0.0 Alpha 2 (May 29th, 2014)

  • Fixed a crash in Yara scanner on some processes
  • Fixed a bug in Hidden processes detection
  • Fixed a bug in report module, prescan results were removed from reports
  • Fixed display bug (wrong X64 display in title)
  • Fixed crash handler, now crash dumps will be located in %ProgramData%/RogueKiller/Debug
  • Fixed display bug. After removal, status of items was not updated.
  • Added Hosts file support
  • Added Hosts file line removal
  • Removed Proxy, DNS and Shortcut buttons/tabs

New in version 9.0.0.0 Alpha 1 (May 29th, 2014)

  • Rewritten engine from scratch ( RKSdk V1 )
  • Moved to Yara scanner
  • Fixed a lot of bugs

New in version 8.8.15 (March 27th, 2014)

  • No crash report sends debug.log and crash dump
  • Optimizations
  • Added detections

New in version 8.8.14 (March 26th, 2014)

  • Fixed a bug in PE parser
  • Optimizations
  • Added detections

New in version 8.8.13 (March 25th, 2014)

  • Optimizations
  • Now scans IAT/EAT on x64 operating systems
  • Now scans non-PE files (example: .bat)
  • Addded detections

New in version 8.8.12 (March 20th, 2014)

  • Optimizations
  • Added Thanks for Downloading Url at first use.
  • Fixed bug in MBR fix
  • Fixed progressbar behavior

New in version 8.8.11 (March 14th, 2014)

  • Optimizations
  • Added lot of PUP detections
  • File path are elided in console

New in version 8.8.10 (February 28th, 2014)

  • Added detections
  • Changed links
  • Fixed a bug in File library
  • RogueKillerCMD 0.1.3:
  • Added service list
  • Added service kill

New in version 8.8.9 (February 24th, 2014)

  • Added double check for current version
  • Added double post for autofeedback
  • Changed sur-la-toile.com domain for new one surlatoile.org (fixed statistics and version check)

New in version 8.8.8 (February 19th, 2014)

  • URLs are now localized
  • Fixed tree process creation deadlock

New in version 8.8.7 (February 11th, 2014)

  • Fixed bugs in Hidden process detection
  • Added traces for killed processes check bug.

New in version 8.8.6 (February 7th, 2014)

  • ACLs management improvement
  • Fixed FP in hook module
  • NEW! Google Chrome extensions are listed [Removal not supported yet]
  • Fixed Zekos FP with Zanga.exe
  • Fixed forum link in report

New in version 8.8.5 (February 3rd, 2014)

  • Added debug trace for dllhost issue
  • Added rogue detections
  • Fixed duplicates in Firefox Addons list
  • Added extensions.json / extensions.sqlite in the firefox watch list
  • Now kills firefox before removing extensions

New in version 8.8.4 (January 28th, 2014)

  • Added ACL module.
  • Fixed bug with ACLs when replacing patched file [Black Screen - Zekos]
  • Restored Zekos signatures

New in version 8.8.3 (January 24th, 2014)

  • Extension removal for IE / Firefox (context menu)
  • Neutralized Zekos signatures to avoid black screen at replacement. [To be fixed]

New in version 8.8.2 (January 17th, 2014)

  • NEW! Miuref detection and removal
  • Added Zekos x64 detection
  • Fixed a bug in honey module
  • Fixed a bug in core module
  • Fixed a bug in driver module

New in version 8.8.1 (January 14th, 2014)

  • Fixed bug in registry module
  • Fixed a bug in file module
  • NEW! Zekos detection and removal.

New in version 8.7.14 (December 27th, 2013)

  • NEW! web browser addons are listed (Internet Explorer | Firefox )
  • NEW! Cryptolocker pattern
  • NEW! Killed process verifier. If some processes remain, they are killed by their whole tree.
  • Added detections

New in version 8.7.13 (December 18th, 2013)

  • Translated Paypal Icon
  • Fixed a bug in GUI lib
  • Added PUP pattern
  • Fixed a bug in File lib (ZeroAccess detection)
  • Added addons tab

New in version 8.7.12 (December 16th, 2013)

  • Windows 8.1 detection
  • Fixed bug in Shortcut mode
  • Refactoring of File lib
  • Added detections
  • RogueKillerCMD 0.1.2:
  • Added process list

New in version 8.7.11 (December 5th, 2013)

  • Fixed a bug in UI lib

New in version 8.7.10 (December 4th, 2013)

  • Added detections
  • RogueKillerCMD 0.1.1:
  • Fixed DLL dependencies

New in version 8.7.9 (November 25th, 2013)

  • Fixed a bug in regex parsing
  • Optimization of regex
  • Added 2 new methods for registry Read/Write
  • NEW! Honey module now uses the Win32 API Offline method (Safer)
  • Fixed a bug in script cleanup
  • Fixed a bug in mbr module
  • Added detections

New in version 8.7.8 (November 14th, 2013)

  • NEW! Added Zlib compression for crash dump sending
  • Improvement of args handler

New in version 8.7.7 (November 11th, 2013)

  • NEW! new banner
  • Fixed bugs in Registry module
  • Fixed bug in PeParser
  • Added progress window for crash report uploading
  • Now collecting Full dumps

New in version 8.7.6 (October 28th, 2013)

  • Changed crash feedback for sending crash dump instead of custom crash logs
  • Fixed bug in PeParser

New in version 8.7.5 (October 22nd, 2013)

  • Added useragent in debug log sending
  • NEW! Geoloc for proxy / DNS IPs
  • Fixed bug on TaskMan value
  • NEW! -report_output and -hide switches
  • NEW! Stop button

New in version 8.7.4 (October 16th, 2013)

  • Added COUNTRY in user agent of statistic module

New in version 8.7.3 (October 15th, 2013)

  • Detection/Removal of generic name mismatches in registry key/values (API fool trick -Rootkit)
  • Fixed a bug in HiveReader module
  • Fixed a bug in Pattern module

New in version 8.7.2 (October 10th, 2013)

  • Fixed memory leak in sigcheck
  • Fixed bug in PeParser
  • Fixed bug in File module
  • Added RECYCLER suspicious path (DorkBot)
  • Added TaskManager key monitoring

New in version 8.7.1 (October 3rd, 2013)

  • Fixed bugs in PeParser
  • Fixed bug in IAT/ETA hooks
  • Listview sorting

New in version 8.7.0 (September 30th, 2013)

  • NEW! Scan IAT/ETA of sensible processes
  • NEW! Filesystem userland antirootkit
  • Added colors to differenciate type of objects
  • Added Romanian language
  • Fixed bug in file deletion
  • Fixed bug in Pe parser
  • Optimizations: Com library
  • Fixed bug in GUI library

New in version 8.6.12 (September 19th, 2013)

  • Added detections
  • Added MBR infos
  • Added PUM label, and more consitent colors
  • Fixed a bug in MBR module

New in version 8.6.11 (September 11th, 2013)

  • Fixed a crash a startup on x64 OS

New in version 8.6.10 (September 9th, 2013)

  • Fixed a bug in PeParser
  • TrueSight 0.9.1

New in version 8.6.9 (September 3rd, 2013)

  • Fixed a bug in PeParser
  • Added Export parsing
  • Fixed a bug in SSDT parsing
  • Added detections

New in version 8.6.8 (September 2nd, 2013)

  • Fixed a bug in peParser
  • Truesight v0.9

New in version 8.6.7 (August 28th, 2013)

  • Fixed display issue
  • Fixed problem in Registry module
  • Added Rogue.AntiSpy-LSP pattern (Live Security Professional)
  • Added detections

New in version 8.6.6 (August 19th, 2013)

  • Ability to resize the application (but still flickering when resized...)
  • Fixed display issue in safe mode
  • Removed Hosts scan if file is bigger than 1MB
  • Added detections
  • Fixed bug in removal

New in version 8.6.5 (August 5th, 2013)

  • Added support for new ZeroAccess variant (RTL)
  • Added AutoRun value support in PE mode
  • Fixed bug for rebooting query
  • Fixed bug in file/folder deletion
  • Removed unauthorized characters in report
  • Updated links

New in version 8.6.4 (July 30th, 2013)

  • Fixed display bugs
  • Added tab icons
  • NEW! One scan can allow user to trigger each option once (Delete, HostsFix, DNSFix, ProxyFix)
  • Fixed bug in DLL module
  • Modified Honey display in report
  • Fixed bugs in PeParser
  • Fixed bug in file parser
  • Added detections
  • Database queries switched to UNICODE

New in version 8.6.3 (July 17th, 2013)

  • Added detections
  • Fixed bugs
  • Added crash feedback link into crash window

New in version 8.6.2 (July 2nd, 2013)

  • Modified links
  • Fixed bugs
  • Added Turkish translation
  • Added switches -autoscan, -autoaccepteula, -autoquit and -autodelete for automation of the flow

New in version 8.6.1 (June 17th, 2013)

  • Fixed bugs
  • Improved filename parsing

New in version 8.6.0 (June 14th, 2013)

  • Rewrote whole engine
  • NEW! Added icons in lists
  • NEW! Added colors for Hosts lines detection
  • Report: Splitted in object coherency (Tasks, Startup folders, registry)
  • NEW! Honey module (previous PE module rewriten from scratch)
  • NEW! .ini file for configuration storing
  • NEW! Firefox malware detection module
  • Added signatures
  • Added ZeroAccess infection => Windows Defender repair
  • Added disclaimer on Shortcut fix option
  • Added hosts malicious lines identification in report
  • Translations updated
  • Added drivers to the patched files list to check
  • Added service repair option (Tools/Repair services)
  • Added Aho-Corasick algorithm for fast signature matching. Improved signature finding speed.
  • NEW! Opera module - Added Proxy configuration

New in version 8.5.4 (March 18th, 2013)

  • Detection of malicious Hosts file lines
  • Adding signatures

New in version 8.5.3 (March 13th, 2013)

  • Fixed bugs
  • Adding signatures

New in version 8.5.2 (February 23rd, 2013)

  • MAJ detection Necurs.A
  • MAJ update database
  • Fixed a bug in the module database

New in version 8.5.1 (February 13th, 2013)

  • MAJ detection Necurs.
  • Update database
  • Fixed a bug in the module database

New in version 8.5.0 (February 9th, 2013)

  • Better care of ZeroAccess

New in version 8.4.4 (February 2nd, 2013)

  • Italian Language
  • PE Module: Bug fixing
  • Detection ZeroAccess - Improvements

New in version 8.4.3 (January 9th, 2013)

  • Russian Language

New in version 8.4.2 (December 31st, 2012)

  • Improvement to the PE module

New in version 8.4.1 (December 27th, 2012)

  • Fixed a bug in the PE module
  • Spanish Language

New in version 8.4.0 (December 12th, 2012)

  • Code optimizations for the x64 package
  • X64 version available
  • Fixed a bug in the Tasks module
  • Fixed a bug in the Hooks module

New in version 8.3.2 (December 7th, 2012)

  • Support for MBR Fix for TDL4

New in version 8.3.0 (November 17th, 2012)

  • Migration of the database
  • Fixed bugs

New in version 8.2.3 (November 7th, 2012)

  • Preparation SQLite
  • Optimization Module parsing
  • Fixed a bug detection process path x64
  • WL dll
  • HPStatusBL.dll
  • Fixed a bug in Crypt

New in version 8.2.2 (November 6th, 2012)

  • Window BL
  • Micorsoft Security Essential Pro 2013
  • Windows 8 Defender 2013
  • MESP.exe
  • Added a whitelist by way
  • Corection a bug in the module blacklist
  • Change link FR tutorial
  • Dutch translation
  • Add the date and manner in the name of the report
  • Executable UPX packed-default

New in version 8.2.1 (November 6th, 2012)

  • DNS WL
  • 24.222.0.95
  • Driver WL
  • avgtpx86.sys / * AVG * /
  • regguard.sys / * RegRun * /
  • Whitelist
  • cdloader2.exe
  • magicJack.exe
  • AmazonCloudDrive.exe
  • V0220Mon.exe
  • msnotif.exe
  • LGMLauncher.exe
  • Communicator.exe
  • Fixed a bug in debug
  • Modifications Module importance
  • Adaptation of the driver for Windows 8
  • Retrieve names SSDT userland API Compatibility (Win8)

New in version 8.2.0 (October 23rd, 2012)

  • Truesight v0.7
  • Fix German language
  • Various bug fixes
  • Whitelist
  • sys32/pcalua.exe
  • LogMeInSystray.exe
  • Dashlane.exe
  • DNS Whitelist
  • * 86.64.145.14
  • 129.250.35.251
  • Driver WL
  • SbFw.sys / * GFI * /
  • Window BL
  • File Restore (FakeHDD)

New in version 8.1.1 (October 4th, 2012)

  • Traditional Chinese translation
  • Fixed minor bugs
  • Add color to differentiate the listviews type detection
  • Fixed a bug in the module Blacklist
  • Window BL
  • XP Defender 2013
  • Vista Defender 2013
  • Win 7 Defender 2013

New in version 8.1.0 (September 28th, 2012)

  • Support change language at runtime
  • Fixed a bug in the module processes
  • Added a plug MBR (for testing)
  • Adding a link "website" in the report header

New in version 8.0.5 (September 24th, 2012)

  • Launch switch management
  • Added switch "-nodriver" that prevents the loading of the driver
  • Added switch "-nokill" that prevents the kill process (certain processes cause a BSOD to kill, it is better to attack their registry key)
  • Adding a category "Extern Hive" in the report => Listing hives External found
  • Fixed a bug in hives Extern
  • Bugfix

New in version 8.0.4 (September 19th, 2012)

  • Encryption of files in quarantine (Use Cryptonic with key "RogueKiller" to decipher)
  • Optimization of the web module
  • Added API suppression off when a key is protected
  • Fixed a bug in HiveReader

New in version 8.0.3 (September 13th, 2012)

  • Correction d'un bug dans le module HiveReader
  • Correction d'un bug dans le module Registry
  • Correction d'un bug dans le module File ASSO
  • Correction d'un bug dans le module Proxy FF
  • Prise en charge des rootkits maxSST (fix désactivé car non testé)
  • Deactivation of "Patched" module (not really used, to many false positives)
  • Whitelist DLL:
  • tv_w32.dll
  • Whitelist:
  • %Windir%/HelpPane.exe
  • TeamViewer.exe
  • tv_w32.exe
  • TeamViewer_Desktop.exe
  • ibsvc.exe

New in version 8.0.2 (August 31st, 2012)

  • Fichiers particuliers:
  • \\RECYCLER\\[ANYFOLDER]\\$********************************\\n
  • \\RECYCLER\\[ANYFOLDER]\\$********************************\\@
  • \\RECYCLER\\[ANYFOLDER]\\$********************************\\L
  • \\RECYCLER\\[ANYFOLDER]\\$********************************\\U
  • Incproc HJ:
  • {fbeb8a05-beee-4442-804e-409d6c4515e9}

New in version 8.0.1 (August 30th, 2012)

  • Whitelist:
  • c2c_service.exe
  • procexp.exe
  • Driver WL:
  • RapportCerberus$ (trusteer)
  • Truesight v0.6:
  • Surveillance de DriverEntryIO

New in version 8.0.0 (August 27th, 2012)

  • Monitoring HKEY_LOCAL_MACHINE \ \ SYSTEM \ \ CurrentControlSet \ \ Services \ \ Tcpip \ \ Parameters: DataBasePath (HOSTS)
  • Various improvements
  • Added a cartridge information on infection
  • Redesign of some windows
  • Whitelist
  • StatBar.exe
  • % windir% \ ^ ^ Service.exe

New in version 7.6.6 (August 11th, 2012)

  • Search files replacement in case of patched files.
  • Replacement of patched files mode DELETE

New in version 7.6.5 (August 4th, 2012)

  • Fixed a bug in peParser (PE x64)
  • Added Signature:
  • ZeroAccess (services.exe x64)

New in version 7.6.4 (July 17th, 2012)

  • Added a blacklist for register values
  • BlacklistValue
  • Update (POLICE)
  • Add to blacklist patterns (POLICE)
  • fest0r_ot.exe
  • Schnarch.exe
  • Whitelist DLL
  • cleanup.dll (MMFA)
  • Windows BL
  • File Recovery

New in version 7.6.3 (July 9th, 2012)

  • Fixed a bug in HiveReader (management register values ​​unicode)
  • Add to blacklist patterns (POLICE)
  • roper0dun.exe
  • rasmxs.exe
  • SCardDlg.exe
  • TapiSysprep.exe
  • 0_0u_l.exe

New in version 7.6.2 (July 2nd, 2012)

  • Adding a module kill / relaunch the process including the removal of particular files (explorer.exe is killed / revived)
  • Fixed a bug in the detection of specific files
  • Monitoring of key: HKCR \ \ CLSID \ \ {42aedc87-2188-41fd-b9a3-0c966feabec1} \ \ InprocServer32 (ZeroAccess)
  • Blacklist
  • sys32 / n
  • Share files blacklist
  • windows\\Installer\\{********-****-****-****-************}\\L
  • localAppdata\\{********-****-****-****-************}\\L
  • sys32\\config\\systemprofile\\Local Settings\\Application Data\\{********-****-****-****-************}\\L
  • sys32\\config\\systemprofile\\Local Settings\\Application Data\\{********-****-****-****-************}\\U
  • sys32\\config\\systemprofile\\Local Settings\\Application Data\\{********-****-****-****-************}\\@
  • sys32\\config\\systemprofile\\Local Settings\\Application Data\\{********-****-****-****-************}\\n

New in version 7.6.1 (June 28th, 2012)

  • Adding a module file verification systems (ASLR + search for signatures)
  • Checking the file services.exe
  • Adding Signature ZeroAccess (services.exe)
  • Bug fixes (Module Window)

New in version 7.6.0 (June 26th, 2012)

  • Adding a user contract (EULA)
  • Changing the module files Particular consideration for reasons of comparison by removing + mask
  • Share files blacklist
  • Part files blacklist
  • windows\\Installer\\{********-****-****-****-************}\\n
  • windows\\Installer\\{********-****-****-****-************}\\@
  • windows\\Installer\\{********-****-****-****-************}\\U
  • localAppdata\\{********-****-****-****-************}\\n
  • localAppdata"\\{********-****-****-****-************}\\@
  • windows\\Assembly\\GAC\\Desktop.ini
  • windows\\Assembly\\GAC_32\\Desktop.ini
  • windows\\Assembly\\GAC_64\\Desktop.ini
  • Drivers WL
  • avgidsshimx.sys (AVG)

New in version 7.5.4 (June 8th, 2012)

  • Monitoring of key: HKCR \ \ CLSID \ \ {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} \ \ InprocServer32 (ZeroAccess)
  • Add to blacklist patterns (POLICE) pkg0u.exe

New in version 7.5.3 (June 5th, 2012)

  • Improved interface
  • Review of translations
  • Update detection ZeroAccess (Sirefef)
  • Add to blacklist patterns (POLICE):
  • krussel3.exe
  • AMD_cpx.exe
  • Apple_Store.exe
  • cs8v0k.exe

New in version 7.5.2 (May 31st, 2012)

  • Improved redirection module paths
  • Whitelist:
  • SpotifyWebHelper
  • windows% / ALCMTR.exe
  • Add to blacklist patterns (POLICE):
  • ArchiverforWin.exe
  • game_client.exe
  • WinArchiver.exe

New in version 7.5.1 (May 28th, 2012)

  • Monitor HKLM \ SYSTEM \ ControlSet001 \ Control \ SafeBoot: AlternateShell
  • Monitoring of x64 registry key to the SHELL
  • Add to blacklist patterns (POLICE)
  • k8h0pp.exe
  • Temp # #. exe
  • ServiceVBOX.exe

New in version 7.5.0 (May 25th, 2012)

  • Added ability to use RogueKiller under PE environment.
  • Ability to scan the windows in hives external connection of SD.
  • Fixed a bug in ntreg
  • Added desktop suspect in paths
  • Add to blacklist patterns (POLICE):
  • k8h00.exe
  • VboxServs.exe

New in version 7.4.5 (May 19th, 2012)

  • Integration library ntreg
  • Add to blacklist patterns (POLICE)
  • ch8l0.exe
  • p0j99p.exe
  • spoolsrv.exe
  • FSnapshot_x86.exe
  • BSI.bund.exe
  • GboxService.exe
  • InfoServices_a.exe
  • ksprskylabs1.exe

New in version 7.4.4 (May 8th, 2012)

  • Adding pattern detection POLICE
  • "# {1}. # {12 +}. Exe
  • wpbt # {1}. dl {2}
  • hnszs # {1}. exe
  • a.bat ms ****
  • ram_reserver64.exe
  • itunes_service # {2}. exe
  • syncservicex86.exe
  • EPUhelpers.exe
  • DNS_Servicex86.exe

New in version 7.4.3 (May 4th, 2012)

  • Implementation patterns for detection process, key RUN, SHELL, Startup
  • Fixed a bug in HiveReader
  • Code Optimizations
  • TrueSight: Securisation code

New in version 7.4.2 (May 3rd, 2012)

  • Fixed a bug in HiveReader

New in version 7.4.1 (May 3rd, 2012)

  • Whitelist E_FATIHJL.EXE
  • Added pattern GEMA
  • Added pattern POLICE
  • Fixed a bug in readMBR
  • Fixed a bug in SSDT

New in version 7.4.0 (May 2nd, 2012)

  • Fixed a bug in the debug mode
  • Add license ExceptionHandler => automatic management of crashes (in part). When a crash occurs, a window opens and prompts the user to send it automatically.
  • BL Window:
  • Data Recovery (FakeHDD)
  • Language support:
  • German

New in version 7.3.4 (May 2nd, 2012)

  • Add license SigCheck, allowing the search for signatures in binary files.
  • Search for signatures in the process
  • Fixed a bug in readMBR (reorganization of the priority of signatures)
  • Fixes in the resources of language.

New in version 7.3.3 (April 23rd, 2012)

  • Taking into account the value Start_TrackProgs (Recent Programs menu)
  • Fixed a bug in HiveReader
  • Changing ACLs before checking RUN key (bug virus Mounted)
  • Language support:
  • Greek
  • Portuguese

New in version 7.3.2 (March 20th, 2012)

  • Fixed a bug in startup
  • Added monitoring of folder "Common Startup"
  • TrueSight v0.5: Code Optimizations
  • SHIFT language Czech / Slovak
  • Added checkbox "AntiRootkit" which disables the functionality of the module TrueSight

New in version 7.3.1 (March 20th, 2012)

  • Fixed a bug in faked mode
  • Added a checkbox to disable the module faked (the scanning takes time)
  • Whitelist:
  • Skype.exe
  • FixCamera.exe
  • firefox.exe
  • plugin-container.exe
  • Driver WL
  • Crypto.sys / * SafeNet * /
  • mfehidk.sys / * McAfee * /
  • wpsdrvnt.sys / * Symantec * /

New in version 7.3.0 (March 9th, 2012)

  • TrueSight v0.4
  • Ability to inline hooks.
  • TrueSight: Detection of IRP hooks (Major and Inline) on a given driver -> Atapi.sys
  • Ability to inline IRP hooks (may cause a BSOD in some cases, this function needs to be improved. For use only as a last resort).
  • Added a confirmation messagebox asking if no deletion was performed
  • TrueSight: Bypass function driver for Windows 8 (not compatible for now)
  • TrueSight: Code Optimizations
  • Detection of Windows 8
  • Fixed a bug in HiveReader (value / key with accents)
  • Adding a module for detecting faked files (experimental)
  • Applied sys32/drivers
  • Fixed a bug in SHELL
  • Fixed a bug in STARTUP
  • Fixed a bug in WEB
  • Module Startup: Ability to see the records of all sessions (instead of the current)
  • Monitoring the HKCU \ ... \ Advanced: Start_ShowRun

New in version 7.2.1 (March 1st, 2012)

  • TrueSight v0.3
  • Detection of inline hooks (SSDT functions only)
  • Fixed a bug in HiveReader
  • Driver WL
  • avipbb.sys / * Avira * /
  • avkmgr.sys / * Avira * /
  • BL Window
  • Smart Fortress 2012
  • Windows Shield Tool
  • Windows PRO Scanner
  • Basic Windows Antivirus
  • Windows Guard Stability
  • Windows Firewall Constructor

New in version 7.2.0 (February 27th, 2012)

  • Added option in the tab FixMBR MBR. This option becomes available if an MBR infection is found.
  • Possibility to fix the MBR with a bootstrap standard MBR (XP, Vista)
  • Adding a module for direct reading of hives => detection key / hidden values ​​of the API
  • MBR detection Toshiba
  • Lenovo MBR detection
  • Standard MBR detection
  • KIWI Image MBR detection system
  • Whitelist:
  • Spotify.exe
  • jusched.exe (global)
  • BL Window:
  • Windows Functionality Checker
  • Windows Smart Warden
  • Home Malware Cleaner
  • Windows Smart Partner
  • antivirus Protection
  • Windows Telemetry Center
  • Catalyst Windows Perfomance
  • Strong Malware Defender

New in version 7.1.0 (February 15th, 2012)

  • Passage of Unicode code logic (instead of ANSI)
  • Bug fixes
  • Added language support:
  • Czech
  • Slovak
  • Updated detections whistler MBR / Sinowal
  • MBR detection myBIOS
  • Detection of MBR floodés by NOP
  • Blacklist window
  • Security Scanner
  • Internet Security
  • Internet Security 2012
  • Rogue ProgFile
  • \ \ PCSpeed ​​Service \ \
  • \ \ everyclear \ \

New in version 7.0.4 (February 8th, 2012)

  • Fixed a bug making the buttons disappear in some low screen resolutions

New in version 7.0.3 (February 7th, 2012)

  • Changing the module LL2 => less access error alone, mostly on x64 OS
  • Fixed a bug in the workflow of secondary modes
  • Blacklist
  • InetAccelerator.exe (Gendarmerie2)

New in version 7.0.2 (February 7th, 2012)

  • Bug fixes displays (Line breaks over) in the edition of
  • Fix MBR in Module => partition size updated (1 KB = 1024 bytes)
  • Whitelist : adawarebp.exe, DropBox.exe
  • Rogue ProgFiles
  • BoanCatch
  • pcupgrade
  • best-pc
  • PCMaster Antispyware
  • InfoSeven
  • comdoumi
  • Added pattern Rogue.ViusDoctor, Rogue.Zaxar
  • BL Window
  • Smart Antivirus Protection
  • Malware Protection Center

New in version 7.0.1 (February 7th, 2012)

  • Fixed a bug in MBR => type scores updated
  • Fixed a bug in MBR => Calculation of partition sizes updated
  • Upgrade to 5 PhysicalDrive Max
  • Added name of physical disks

New in version 7.0.0 (February 7th, 2012)

  • Switching to GUI

New in version 6.2.4 (January 13th, 2012)

  • Add HKEY_USERS \ \ Software \ \ Classes \ \ pezfile \ \ shell \ \ open \ \ command
  • Added HKEY_USERS \ \ Software \ \ Classes \ \. Exe \ \ shell \ \ open \ \ command
  • Added HKEY_USERS \ \ Software \ \ Classes \ \ exefile \ \ shell \ \ open \ \ command
  • Fixed a bug in the backup REG
  • Added option: WhyIGotInfected? => Opening page Wigi
  • Opening of links to the manipulations of blogspot based on the detected infections (ZeroAccess, FakeRean)

New in version 6.2.3 (January 9th, 2012)

  • Whitelist smad.exe
  • Whitelist Dll
  • BatInfEx.dll
  • BatLogEx.dll
  • Driver Whitelist
  • hookcentre.sys /*Gdata*/
  • Window Blacklist
  • System Check
  • Rogue ProgFiles
  • \\InfoSafe\\
  • \\CleanerCom\\
  • \\MicroVaccine\\
  • \\PC-Spider\\
  • \\CYAK\\
  • \\PcVirusDoctor\\
  • \\VDoctor Professional\\
  • \\CheckSpeed\\

New in version 6.2.2 (January 9th, 2012)

  • Detection MBR Code TestDisk
  • Detection MBR Code HP tatoué
  • Detection MBR Code Whistler
  • Distinction entre Vista / 7 MBR Code
  • Detection MBR Code Linux
  • Correction of a bug in the backup REG modul