[Jaxryley]

@Jaxryley, Yeah sure but the rogue stop roguekiller anyway so he can block it really, if the author have not done a feature for 'allow'.

You can disarm this rogue family manually by going into Device Manager - System devices and Disabling "[cmz vmkd] Virtual Bus".

Once that is disabled a scan with Malwarebytes will run to completion.

If Malwarebytes had already tried to be run with the driver active and won't run again then you need to go into Malwarebytes Programs Folder and reset permissions on mbam.exe.

But it's way easier to run RogueKiller first then run a scan with Malwarebytes.

Sys.JPG (19.7 KiB) Viewed 290 times

[kmd]

EDIT: Anyone got a sample of Windows problem detector?

hi

look here

http://www.kernelmode.info/forum/viewto ... 5&start=70

[Tigzy]

Hello again ;)

Sorry, it's my fault, Windows Problems Detector and not Protector...
Thx for the samples, I'll try this evening.

@Jaxryley, Yeah sure but the rogue stop roguekiller anyway so he can block it really, if the author have not done a feature for 'allow'.

Yeah, for sure cause there's a killAV driver in most case. The driver intercepts calls to new processes ans blocks them. I guess that even HideToolz is blocked, isn't it?
Maybe a driver can pass through, but a single process will be locked regardless to its content. Only certain process will be allowed, and my opinion is that theses process are thoses which were existing at the startup of the rogue (a white list is established at the beginning)

The idea is to take one of the white list names.