Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Faergor

Pages: 1 2 [3]
RogueKiller / MBR:Yurn-A (RTK) in new RGK signatures
« on: February 14, 2019, 04:27:03 pm »
Hi, I had no problems before, but I downloaded the newest signatures 20190213_112737, and I found in C:\ProgramData\Roguekiller\signatures\mbr a thing called MBR:Yurn-A (RTK) this trojan, or whatever it is.
It was found by avast.

I am for some reason no longer even able to upload anything to virustotal, it says "Please answer the following puzzle to help us prevent abuse", doesnt let em upload either that mbr file or any other to virustotal.

I commonly scan my computer with roguekiller, avast, eset online scanner (its a one time scan only), malwarebytes and mbar. Nothing was found. Only avast found this file.

I am uploading this file here to this post,can you please check it? Thanks

edit: I was able to upload file to virustotal,and it found this:

file is flagged as same virus by both avg and avast, but nothing else.

Thanks a lot buddy :). Appreciate your help.
One last question: what is HJ.Name actually? What kind of infection is it and what damage does it cause?

Ofc,you said it is very likely to be false positive.
But if it wasnt, and it was real,what does it do? Thanks a lot :)

Sure, here you go. Thx for reply.

At the end of this, first scan, I tried to delete everything.
I did following scans and Hj.Name doesnt show up anymore, but all  Suspicious.Paths do.

Roguekiller found 4 entries:
いいいいいいいいいいいい Processes いいいいいいいいいいいい
[Hj.Name (Malicious)] csrss.exe (672) -- \Device\HarddiskVolume3\Windows\System32\csrss.exe -> Found
[Suspicious.Path (Potentially Malicious)] nvcontainer.exe (3892) -- C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe -> Found

いいいいいいいいいいいい Process Modules いいいいいいいいいいいい

いいいいいいいいいいいい Services いいいいいいいいいいいい
[Suspicious.Path (Potentially Malicious)] NvContainerLocalSystem (3892) -- "C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -s NvContainerLocalSystem -f "C:\ProgramData\NVIDIA\NvContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\NvContainer\plugins\LocalSystem" -r -p 30000 -st "C:\Program Files\NVIDIA Corporation\NvContainer\NvContainerTelemetryApi.dll" -> Found

いいいいいいいいいいいい Tasks いいいいいいいいいいいい

いいいいいいいいいいいい Registry いいいいいいいいいいいい
>>>>>> O23 - Services
  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NvContainerLocalSystem -- "C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -s NvContainerLocalSystem -f "C:\ProgramData\NVIDIA\NvContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\NvContainer\plugins\LocalSystem" -r -p 30000 -st "C:\Program Files\NVIDIA Corporation\NvContainer\NvContainerTelemetryApi.dll" (missing) -> Found

Only thing that I did during last few days was downloading some addons for WoW, but from WoWInterface and WoW curse, the ones that had most downloads, therefore should be safe.
Before I started playing WoW I scanned my pc and found nothing, after starting and downloading addons I found this. They however may be completely unrelated to my problem.

Is this please false positive or real? I am uploading a file of scan results. Thanks.

Hi,I am sorry for bothering you. Is this what I found an issue? Thank you :)

RogueKiller / Wargaming Suspicious Path found, probably false positive
« on: October 23, 2018, 08:44:32 pm »
Hi, I downloaded new version of roguekiller, ran it in normal and safe mode and it has not found anything.
Then few hours later, I scanned with it again and it found this:

[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1239764888-2148109162-3447206424-1001\Software\Microsoft\Windows\CurrentVersion\Run | Game Center : "C:\ProgramData\\GameCenter\wgc.exe" --background '' [7] -> Deleted
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1239764888-2148109162-3447206424-1001\Software\Microsoft\Windows\CurrentVersion\Run | Game Center : "C:\ProgramData\\GameCenter\wgc.exe" --background '' [7] -> ERROR [2]
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{438D6068-C8F4-4A4D-9D25-790985B62D50}C:\programdata\\gamecenter\wgc.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\programdata\\gamecenter\wgc.exe| Game Center| Game Center| [7] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{9CA939D7-0F17-47D6-9DB3-25651E0CFE98}C:\programdata\\gamecenter\wgc.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\programdata\\gamecenter\wgc.exe| Game Center| Game Center| [7] -> Deleted

This is probably safe positive,but could you verify it for me please? I am attaching a scan report as well.

P.S. There are 4 things found, I was able to delete all 3 except the second one from above. It said error. Is it a problem and may it mean one? Thanks

RogueKiller / Another False Positive? PUP RunOnce in registry
« on: September 22, 2018, 06:30:19 pm »
Hello, again, one hour later.
I did another Roguekiller scan, in safe mode this time, and it found this:

い Registry : 2 い
[PUP] (X64) HKEY_USERS\S-1-5-21-1239764888-2148109162-3447206424-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1 : C:\Windows\System32\msconfig.exe %windir%\system32\msconfig [-] -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-1239764888-2148109162-3447206424-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1 : C:\Windows\System32\msconfig.exe %windir%\system32\msconfig [-] -> Found

Is this false positive please? I uploaded text file. Thanks

RogueKiller / False Positive? Warframe - [Suspicious.Path] found in registry
« on: September 22, 2018, 03:19:15 pm »
Hello, this was found today while scanning, is this please false positive?

い Registry : 2 い
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {27624FD4-2773-4BBD-8B37-317672D4C322} : v2.28|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|RPort=80|RPort=443|RPort=8080|RPort2_10=6665-6669|RPort2_10=6695-6699|App=C:\Users\XXXXXXX\AppData\Local\Warframe\Downloaded\Public\Tools\Launcher.exe|Name=Warframe Launcher (TCP-In)|EmbedCtxt=Warframe|Edge=TRUE| [7] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {FE17ED16-68BE-49B0-B16E-7D8378EC5C2A} : v2.28|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|RPort=80|RPort=443|RPort=8080|RPort2_10=6665-6669|RPort2_10=6695-6699|App=C:\Users\XXXXXXX\AppData\Local\Warframe\Downloaded\Public\Tools\Launcher.exe|Name=Warframe Launcher (TCP-Out)|EmbedCtxt=Warframe| [7] -> Found

I scanned my PC day before yesterday and nothing was found and I had same version of Roguekiller installed as I have today (V12.13.1.0). I have warframe installed on my external HDD, but I do not remember launching it yesterday. I scanned my PC today and this was found. I am attaching txt file as well.
Thanks :)

General Discussion / Avast reports adlice site is malicious: Url:Mal
« on: July 04, 2018, 04:47:14 pm »
Hi guys,is this false positive?Once I get to download of the roguekiller through the adlice website I get avast message that website was blocked due to it containing Url:MAL.
Never received that before,until now.
False positive or not?Thx
Website is:

First report was from adlice com and it wasHTML:lframe-inf

Are these false positives by avast?

Pages: 1 2 [3]