Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Faergor

Pages: 1 [2]
16
RogueKiller / Re: MBR:Yurn-A (RTK) in new RGK signatures
« on: February 15, 2019, 11:33:34 am »
No,not anymore.
I have newer signature 20190210_151546 and I no longer detect it with avast. I sent file mbr to avast and avg yesterday and explained issue to them.
Still waiting until they let me know result of analysis and hopefully exclude this.

Ok,so,2 questions:
1.is there possibility that perhaps this mbr file got infected on my computer?
OR
2. My mbr file was false positive all along? Have you please scanned the file I uploaded here (the one that was being flagged as a virus) and can you confirm that my file was false positive all along and certainly was not infected?
It was never found by anything other than avast.

Thanks :D just want to make sure that my file was never infected in first place.

17
RogueKiller / Re: MBR:Yurn-A (RTK) in new RGK signatures
« on: February 14, 2019, 08:40:44 pm »
I downloaded 20190214_084435 signature and it still shows same virus.
I uploaded the file here for analysis.
I sent avg and avast email regarding this issue as well, hopefully they will resolve this.

I am going to look if there is newer signature after this one, you mentioned that you fixed this.

I will try and let you know if it will still show up :D

18
RogueKiller / Re: MBR:Yurn-A (RTK) in new RGK signatures
« on: February 14, 2019, 05:42:10 pm »
great,thanks mate :)

19
RogueKiller / Re: MBR:Yurn-A (RTK) in new RGK signatures
« on: February 14, 2019, 05:24:58 pm »
I know, it is part of the signature database, but could version of this file be malicious?
Can you scan this file I uploaded please and verify if this is real or false positive?
I mean, if by any chance it slipped through your radar when you were uploading the signatures, or if not, then if it got infected on my computer by something else?

I downloaded even newer database today, half an hour ago, so I suppose this hould be safe, but perhaps older one was unsafe.

20
RogueKiller / MBR:Yurn-A (RTK) in new RGK signatures
« on: February 14, 2019, 04:27:03 pm »
Hi, I had no problems before, but I downloaded the newest signatures 20190213_112737, and I found in C:\ProgramData\Roguekiller\signatures\mbr a thing called MBR:Yurn-A (RTK) this trojan, or whatever it is.
It was found by avast.

I am for some reason no longer even able to upload anything to virustotal, it says "Please answer the following puzzle to help us prevent abuse", doesnt let em upload either that mbr file or any other to virustotal.

I commonly scan my computer with roguekiller, avast, eset online scanner (its a one time scan only), malwarebytes and mbar. Nothing was found. Only avast found this file.
Thanks

I am uploading this file here to this post,can you please check it? Thanks

edit: I was able to upload file to virustotal,and it found this:
https://www.virustotal.com/#/file/81f2e7a10c7f5b46134756822c22d363659d1ead7999a75373a8f165d1b7309f/detection

file is flagged as same virus by both avg and avast, but nothing else.

21
Thanks a lot buddy :). Appreciate your help.
One last question: what is HJ.Name actually? What kind of infection is it and what damage does it cause?

Ofc,you said it is very likely to be false positive.
But if it wasnt, and it was real,what does it do? Thanks a lot :)

22
Sure, here you go. Thx for reply.

At the end of this, first scan, I tried to delete everything.
I did following scans and Hj.Name doesnt show up anymore, but all  Suspicious.Paths do.

23
Hi,
Roguekiller 13.0.9.0 found 4 entries:
いいいいいいいいいいいい Processes いいいいいいいいいいいい
[Hj.Name (Malicious)] csrss.exe (672) -- \Device\HarddiskVolume3\Windows\System32\csrss.exe -> Found
[Suspicious.Path (Potentially Malicious)] nvcontainer.exe (3892) -- C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe -> Found

いいいいいいいいいいいい Process Modules いいいいいいいいいいいい

いいいいいいいいいいいい Services いいいいいいいいいいいい
[Suspicious.Path (Potentially Malicious)] NvContainerLocalSystem (3892) -- "C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -s NvContainerLocalSystem -f "C:\ProgramData\NVIDIA\NvContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\NvContainer\plugins\LocalSystem" -r -p 30000 -st "C:\Program Files\NVIDIA Corporation\NvContainer\NvContainerTelemetryApi.dll" -> Found

いいいいいいいいいいいい Tasks いいいいいいいいいいいい

いいいいいいいいいいいい Registry いいいいいいいいいいいい
>>>>>> O23 - Services
  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NvContainerLocalSystem -- "C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -s NvContainerLocalSystem -f "C:\ProgramData\NVIDIA\NvContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\NvContainer\plugins\LocalSystem" -r -p 30000 -st "C:\Program Files\NVIDIA Corporation\NvContainer\NvContainerTelemetryApi.dll" (missing) -> Found


Only thing that I did during last few days was downloading some addons for WoW, but from WoWInterface and WoW curse, the ones that had most downloads, therefore should be safe.
Before I started playing WoW I scanned my pc and found nothing, after starting and downloading addons I found this. They however may be completely unrelated to my problem.

Is this please false positive or real? I am uploading a file of scan results. Thanks.

24
Hi,I am sorry for bothering you. Is this what I found an issue? Thank you :)

25
RogueKiller / Wargaming Suspicious Path found, probably false positive
« on: October 23, 2018, 08:44:32 pm »
Hi, I downloaded new version of roguekiller 12.13.6.0, ran it in normal and safe mode and it has not found anything.
Then few hours later, I scanned with it again and it found this:

[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1239764888-2148109162-3447206424-1001\Software\Microsoft\Windows\CurrentVersion\Run | Wargaming.net Game Center : "C:\ProgramData\Wargaming.net\GameCenter\wgc.exe" --background '' [7] -> Deleted
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1239764888-2148109162-3447206424-1001\Software\Microsoft\Windows\CurrentVersion\Run | Wargaming.net Game Center : "C:\ProgramData\Wargaming.net\GameCenter\wgc.exe" --background '' [7] -> ERROR [2]
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{438D6068-C8F4-4A4D-9D25-790985B62D50}C:\programdata\wargaming.net\gamecenter\wgc.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\programdata\wargaming.net\gamecenter\wgc.exe|Name=Wargaming.net Game Center|Desc=Wargaming.net Game Center| [7] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{9CA939D7-0F17-47D6-9DB3-25651E0CFE98}C:\programdata\wargaming.net\gamecenter\wgc.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\programdata\wargaming.net\gamecenter\wgc.exe|Name=Wargaming.net Game Center|Desc=Wargaming.net Game Center| [7] -> Deleted

This is probably safe positive,but could you verify it for me please? I am attaching a scan report as well.
Thanks

P.S. There are 4 things found, I was able to delete all 3 except the second one from above. It said error. Is it a problem and may it mean one? Thanks

26
RogueKiller / Another False Positive? PUP RunOnce in registry
« on: September 22, 2018, 06:30:19 pm »
Hello, again, one hour later.
I did another Roguekiller scan, in safe mode this time, and it found this:

い Registry : 2 い
[PUP] (X64) HKEY_USERS\S-1-5-21-1239764888-2148109162-3447206424-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1 : C:\Windows\System32\msconfig.exe %windir%\system32\msconfig [-] -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-1239764888-2148109162-3447206424-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce | Application Restart #1 : C:\Windows\System32\msconfig.exe %windir%\system32\msconfig [-] -> Found

Is this false positive please? I uploaded text file. Thanks

27
RogueKiller / False Positive? Warframe - [Suspicious.Path] found in registry
« on: September 22, 2018, 03:19:15 pm »
Hello, this was found today while scanning, is this please false positive?


い Registry : 2 い
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {27624FD4-2773-4BBD-8B37-317672D4C322} : v2.28|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|RPort=80|RPort=443|RPort=8080|RPort2_10=6665-6669|RPort2_10=6695-6699|App=C:\Users\XXXXXXX\AppData\Local\Warframe\Downloaded\Public\Tools\Launcher.exe|Name=Warframe Launcher (TCP-In)|EmbedCtxt=Warframe|Edge=TRUE| [7] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {FE17ED16-68BE-49B0-B16E-7D8378EC5C2A} : v2.28|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|RPort=80|RPort=443|RPort=8080|RPort2_10=6665-6669|RPort2_10=6695-6699|App=C:\Users\XXXXXXX\AppData\Local\Warframe\Downloaded\Public\Tools\Launcher.exe|Name=Warframe Launcher (TCP-Out)|EmbedCtxt=Warframe| [7] -> Found

I scanned my PC day before yesterday and nothing was found and I had same version of Roguekiller installed as I have today (V12.13.1.0). I have warframe installed on my external HDD, but I do not remember launching it yesterday. I scanned my PC today and this was found. I am attaching txt file as well.
Thanks :)

28
General Discussion / Avast reports adlice site is malicious: Url:Mal
« on: July 04, 2018, 04:47:14 pm »
Hi guys,is this false positive?Once I get to download of the roguekiller through the adlice website I get avast message that website was blocked due to it containing Url:MAL.
Never received that before,until now.
False positive or not?Thx
Website is: download.adlice.com


First report was from adlice com and it wasHTML:lframe-inf


Are these false positives by avast?

Pages: 1 [2]