Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Faergor

Pages: [1] 2 3 4
1
RogueKiller / Re: Possible false positive
« on: December 21, 2023, 05:03:41 PM »
Quote from: Curson on December 20, 2023, 11:54:27 PM
Hi Faergor,

If no toolbar is installed, it is safe.
Could I ask you why you prefer it to well-known media players ?

Regards.
Oh, I thought it was well known. I have been using it for years along with vlc. But I have not noticed such behaviour until now. Weird that they are forcing toolbar.

2
RogueKiller / Re: Possible false positive
« on: December 20, 2023, 11:06:47 PM »
Quote from: Curson on December 20, 2023, 08:31:13 PM
Hi Faergor,

Not really anymore.
The build BS.Player install is old and most of the hardcoded domains are down now.

Could you please check the Add/Remove list of your Windows install for "BS Player Control Bar" ?

Regards.

I checked and there was no bs player control bar, only bs player free.
So, what is the conclusion? It was not harmful and it is ok?
I have both files deleted anyway.
Thanks :)

3
RogueKiller / Re: Possible false positive
« on: December 20, 2023, 08:25:00 PM »
Is adw conduit harmful?
I deleted both files that were flagged as malicious.

I am not sure why has that appeared because I had bsplayer installed for a long time and it never showed anything like that before. Not sure if it updated by itself if it does that at all and therefore it installed bs controlbar, but IMO it might have been on my pc for a long time since I installed bsplayer months/years ago but roguekiller detected it only now?

4
RogueKiller / Possible false positive
« on: December 17, 2023, 09:40:51 PM »
Hello, I have BS player installed, what roguekiller found is Packed.Gen in bsplay.exe. Likely a false positive.
Can you fix this/get you confirm please if this is indeed false positive?
Thanks

Attaching a log.

5
RogueKiller / Re: False positive? Botnet reported coming from Roguekiller antimalware
« on: October 21, 2023, 09:32:32 PM »
Quote from: Curson on October 21, 2023, 09:16:35 PM
Hi Faergor,

Thanks for your feedback, again.

Yes, RogueKiller is using ClaudFlare for some operations. We checked and concluded it's a false positive on Avast part.
We contacted them to fix this. I will keep you updated.

Regards.

Thank you very much, I greatly appreciate it :). Dude, you are the best!

6
RogueKiller / Re: False positive? Botnet reported coming from Roguekiller antimalware
« on: October 21, 2023, 07:37:07 PM »
Quote from: Curson on October 21, 2023, 06:39:01 PM
Hi Faergor,

Thanks for your feedback.
I was not able to replicate this beahaviour. Could you please attach AVAST log with your next reply ?

Regards.

I am not sure if you want this one, but Avast is catching this threat through Webshield, so I am attaching webshield log. However I looked at the log and it does not seem to show anything much. Newest entries are at the bottom. If you want any other log as well, please let me know.

I want to ask however, is the IP that it keeps connecting to normal, does Roguekiller use it?
Could it be false positive or is it anything to worry about?
What can be triggering it and why on each one of the computers on our network?

I do not visit any suspicious websites, so not sure why I started getting this threat pop ups from Avast, and out of nowhere.

Thanks

7
RogueKiller / False positive? Botnet reported coming from Roguekiller antimalware
« on: October 20, 2023, 03:33:01 PM »
Hello, this has never ever happened to me, but I randomly received a Botnet report/threat secured from Avast, reported that it was coming from Roguekiller antimalware. I have it installed as an antimalware program. Is this a false positive? I suppose it is.
I am uploading a screenshot from Avast.
My current Avast version is 23.9.6082 - build 23.9.8494.798 and virus definitions are 231019-6.

Threat is: Botnet:Blacklisted
Report is: TCP://188.114.96.9:443

This is what this website says about this ip: https://www.abuseipdb.com/check/188.114.96.9

Website says that IP comes from credible sources, therefore there it is whitelisted there, but there are many reports for bad stuff regarding this IP as well.

Edit: I updated avast to newer version/build, and I still keep getting these reports. I started getting them only today for the first time. I even updated Roguekiller to newer version and I still get them. Reported as bad file is either Roguekiller64.exe or RogueKillerSvc.exe.
What I suspect is that I get these reports because of the Ads for upgrading the Roguekiller to Roguekiller premium that pop up here and there, so instead of that pop up I get this Avast report/threat blocked window today. That is my theory only.

Edit2: Same thing happens on another computer on same network, exactly same IP is being reported and also botnet. Another computer too has Roguekiller and Avast installed. Too for the first time.

Edit 3: What triggers this sometimes is Clicking on "Check for Updates" button on Roguekiller, and sometimes this threat pops up when running a scan. Also it happens randomly when not doing anything.

Edit 4: Same thing happened on completely new third computer on same network. I installed avast, malwarebytes yesterday and it was ok. Today, just to verify whether it will pop up on third one, I also installed Roguekiller for the first time there, and the moment installation finished and program launched, the same thing popped up on Avast.




1. Is this false positive please?
2. Are you familiar with this new Avast behaviour and does IP shown in the screenshot belong to your server?
3. Supposedly IP shown on screenshot is related to CloudFlare. Does Roguekiller actually use it for something (Virus Definitions,pop up ads,etc.) or has roguekiller been infected in some way?
4. Can you try to replicate this by running Avast and Roguekiller at the same time and perhaps doing scans, updates etc while both are running at the same time?

Thanks


8
RogueKiller / Re: Tr.Gen found in InputPersonalization
« on: May 30, 2023, 07:45:17 PM »
thanks

9
RogueKiller / Tr.Gen found in InputPersonalization
« on: May 30, 2023, 05:16:11 PM »
Hello, so, I scanned my PC today and Roguekiller reported this. Is this false positive please?
I am attaching a report here as a file.

RGK says virus is in this:
C:\Users\PCusername\AppData\Local\Microsoft\InputPersonalization

I did not remove this file just in case. Thanks

10
RogueKiller / Re: Windows/Migration folder reported to be a virus - false positive or real?
« on: August 09, 2022, 09:53:31 PM »
Oh, so its not important. Thanks :)

11
RogueKiller / Re: Windows/Migration folder reported to be a virus - false positive or real?
« on: August 09, 2022, 08:54:24 PM »
Um, I deleted that folder yesterday, what now?:D
What is the folder used for exactly?

12
RogueKiller / Windows/Migration folder reported to be a virus - false positive or real?
« on: August 08, 2022, 10:26:04 PM »
Hello,
Roguekiller reported that Migration folder in Windows folder is a virus, that it supposedly contains Tr.Gen virus.
Is this false positive or real plz? Thanks
Attaching a RGK report.

13
RogueKiller / HKEY_LOCAL_MACHINE\Software\Tencent PUP.Gen1 false positive?
« on: July 21, 2022, 02:57:51 PM »
Hello, this was found by RGK today, is it false positive? Uploading a file as well. Thanks

14
RogueKiller / Re: Tr.Gen and Miner.gen false positive?
« on: April 19, 2022, 06:55:07 AM »
thanks

15
RogueKiller / Tr.Gen and Miner.gen false positive?
« on: April 18, 2022, 10:50:27 PM »
 Hello,
Roguekiller found these 2 things:

************************* Filesystem *************************
[Tr.Gen (Malicious)] (folder) Branding -- C:\Windows\Branding -> Found
[Miner.Gen (Malicious)] (folder) ImmersiveControlPanel -- C:\Windows\ImmersiveControlPanel -> Found

I am attaching a report/file as well.

Please,is this false positive or is it real?
Is one of them trojan and other one a bitcoin miner?
Is it a big threat if this if real at all?
Thanks

Pages: [1] 2 3 4