1
Malware removal help / Re: False Positive on BakkesMod for RocketLeague?
« on: April 30, 2023, 06:42:43 AM »
Thank you Curson, figured as much. Will allow it to run 
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
Malware removal help / False Positive on BakkesMod for RocketLeague?
« on: April 29, 2023, 03:00:52 AM »
Hi, my son wants to put this on the PC for his RocketLeague, it gives him access to extra features in the game. None of my other AV triggers (Bitdefender, Malwarebytes) - just RogueKiller and upon launch of the program only (not doing a passive scan on the file). I believe this is due to the exe exhibiting malware-like behaviour as it injects into the RL executable upon launch. It comes up as adw.dealply. Please let me know what you need from me for analysis.
Here is a link to the installation zip file: https://github.com/bakkesmodorg/BakkesModInjectorCpp/releases/latest/download/BakkesModSetup.zip
Plenty of support on why this happens, but doesn't mean I want to blindly add a rule for it:
https://docs.google.com/spreadsheets/d/1a-VUXfPUPS9S_OIOzdCC_tA6yyZ2ouj3OzTJnVkfD8I/edit#gid=0
As it doesn't trigger any of my other AV I presume those have it whitelisted, so wanting to verify with RK support.
Let me know if anything else is needed. Thank you.
Here is a link to the installation zip file: https://github.com/bakkesmodorg/BakkesModInjectorCpp/releases/latest/download/BakkesModSetup.zip
Plenty of support on why this happens, but doesn't mean I want to blindly add a rule for it:
https://docs.google.com/spreadsheets/d/1a-VUXfPUPS9S_OIOzdCC_tA6yyZ2ouj3OzTJnVkfD8I/edit#gid=0
As it doesn't trigger any of my other AV I presume those have it whitelisted, so wanting to verify with RK support.
Let me know if anything else is needed. Thank you.
3
RogueKiller PREMIUM / Issue Updating
« on: June 13, 2018, 02:59:17 AM »
Hi,
This is only happening on one of my PCs but I am still hoping you might know why.
This has only started for the last update and now this one. Get the error during update:
Hopefully this image link works:
Well I can't get it to embed but here's the link: https://www.dropbox.com/s/410zt0dq1xwzy2y/RK%20Error.JPG??raw=1
It's annoying to reinstall as I have to do the license and everything again.
Thanks.
This is only happening on one of my PCs but I am still hoping you might know why.
This has only started for the last update and now this one. Get the error during update:
Hopefully this image link works:
Well I can't get it to embed but here's the link: https://www.dropbox.com/s/410zt0dq1xwzy2y/RK%20Error.JPG??raw=1
It's annoying to reinstall as I have to do the license and everything again.
Thanks.
4
RogueKiller PREMIUM / CCTV software being flagged as having detections
« on: March 26, 2018, 02:07:51 AM »
Please see the pasted in log file. False positive?
Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : xx [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/26/2018 09:11:25 (Duration : 01:07:41)
¤¤¤ Processes : 2 ¤¤¤
[VT.Unknown] ABUS CMS.exe(18492) -- C:\Program Files\ABUS Security-Center\ABUS CMS\ABUS CMS Client\ABUS CMS.exe[7] -> Found
[VT.Unknown] DecodeProcess.exe(10308) -- C:\Program Files\ABUS Security-Center\ABUS CMS\ABUS CMS Client\DecodeProcess\DecodeProcess.exe[-] -> Found
¤¤¤ Registry : 0 ¤¤¤
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: INTEL SSDSC2KW480H6 +++++
--- User ---
[MBR] 8893ca9c61524a4bc2bac3ece04f0122
[BSP] c34e36e8797d75f760775409ebea4115 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1026048 | Size: 456888 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 936734720 | Size: 470 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: WDC WD4003FZEX-00Z4SA0 +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 3815318 MB
User = LL1 ... OK
User = LL2 ... OK
____
Any help appreciated, thank you.
Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : xx [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/26/2018 09:11:25 (Duration : 01:07:41)
¤¤¤ Processes : 2 ¤¤¤
[VT.Unknown] ABUS CMS.exe(18492) -- C:\Program Files\ABUS Security-Center\ABUS CMS\ABUS CMS Client\ABUS CMS.exe[7] -> Found
[VT.Unknown] DecodeProcess.exe(10308) -- C:\Program Files\ABUS Security-Center\ABUS CMS\ABUS CMS Client\DecodeProcess\DecodeProcess.exe[-] -> Found
¤¤¤ Registry : 0 ¤¤¤
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: INTEL SSDSC2KW480H6 +++++
--- User ---
[MBR] 8893ca9c61524a4bc2bac3ece04f0122
[BSP] c34e36e8797d75f760775409ebea4115 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1026048 | Size: 456888 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 936734720 | Size: 470 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: WDC WD4003FZEX-00Z4SA0 +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 3815318 MB
User = LL1 ... OK
User = LL2 ... OK
____
Any help appreciated, thank you.
5
RogueKiller PREMIUM / Re: Proc.Run.PE - false positive?
« on: January 29, 2018, 11:13:51 PM »
No worries, thanks for the help!
6
RogueKiller PREMIUM / Re: Proc.Run.PE - false positive?
« on: January 29, 2018, 12:19:25 AM »
Hi Curson,
I did this and the scan was fine. All ok then?
Thanks.
I did this and the scan was fine. All ok then?
Thanks.
7
RogueKiller PREMIUM / Proc.Run.PE - false positive?
« on: January 28, 2018, 03:29:14 AM »
Hi team,
Could you please let me know if this is a false positive? I am getting '[6692] svchost.exe; C:\Windows\System32\scvhost.exe'
I read another thread where you addressed this and I downloaded Process Explorer and I found process 6692, however it was listed as Google Chrome. There were many instances of svchost.exe so I did not know which to create the dump file.
Any help please?
Thanks.
Could you please let me know if this is a false positive? I am getting '[6692] svchost.exe; C:\Windows\System32\scvhost.exe'
I read another thread where you addressed this and I downloaded Process Explorer and I found process 6692, however it was listed as Google Chrome. There were many instances of svchost.exe so I did not know which to create the dump file.
Any help please?
Thanks.
8
RogueKiller / Re: ===> False Positives <===
« on: July 06, 2015, 07:40:56 AM »
Hi Curson,
One more for you:
¤¤¤ Processes : 1 ¤¤¤
[VT.Generic.317] Panda_URL_Filteringb.exe(7964) -- C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filteringb.exe[7] VT(6) -> Killed [TermProc]
Safe to ignore?
Using Panda AV on my Media PC.
Thanks.
One more for you:
¤¤¤ Processes : 1 ¤¤¤
[VT.Generic.317] Panda_URL_Filteringb.exe(7964) -- C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filteringb.exe[7] VT(6) -> Killed [TermProc]
Safe to ignore?
Using Panda AV on my Media PC.
Thanks.
9
RogueKiller / Re: ===> False Positives <===
« on: June 26, 2015, 02:59:09 AM »
Hi Curson,
Yes, I have an SSD so I keep most programs on the D:\ drive instead. Ok thanks for clarifying.
- Natalie.
Yes, I have an SSD so I keep most programs on the D:\ drive instead. Ok thanks for clarifying.
- Natalie.
10
RogueKiller / Re: ===> False Positives <===
« on: June 25, 2015, 09:04:22 AM »
I think this one has already been reported, but here it is:
¤¤¤ Processes : 1 ¤¤¤
[Tr.Zeus|AV.Killer] mbamservice.exe(3092) -- D:\Programs\Malwarebytes Anti-Malware\mbamservice.exe[7] -> Killed [TermProc]
Can this be ignored? I'm confused because I have 2 PCs running Malwarebytes and this one reports this process and my other PC does not - both same version of RogueKiller.
¤¤¤ Processes : 1 ¤¤¤
[Tr.Zeus|AV.Killer] mbamservice.exe(3092) -- D:\Programs\Malwarebytes Anti-Malware\mbamservice.exe[7] -> Killed [TermProc]
Can this be ignored? I'm confused because I have 2 PCs running Malwarebytes and this one reports this process and my other PC does not - both same version of RogueKiller.
11
RogueKiller / Re: ==> Crash/Hang/Block, please come here <==
« on: June 25, 2015, 09:01:08 AM »
I have removed the offending software, which turned out to be Gigabyte utilities for my motherboard. FYI for future reference if anyone else is having this issue.
12
RogueKiller / Re: ==> Crash/Hang/Block, please come here <==
« on: June 25, 2015, 05:22:19 AM »
I have just run version 10.8.6.0 and it still causes the BSOD. I was watching to see which process it was currently checking and it was taskeng.exe, not sure if that helps. Dump seems to be the same.
I did some of my own analysis:
WHEA_UNCORRECTABLE_ERROR (124)
A fatal hardware error has occurred. Parameter 1 identifies the type of error source that reported the error. Parameter 2 holds the address of the WHEA_ERROR_RECORD structure that describes the error conditon.
Arguments:
Arg1: 0000000000000000, Machine Check Exception
Arg2: fffffa8011fbe8f8, Address of the WHEA_ERROR_RECORD structure.
Arg3: 0000000000000000, High order 32-bits of the MCi_STATUS value.
Arg4: 0000000000000000, Low order 32-bits of the MCi_STATUS value.
Debugging Details:
------------------
BUGCHECK_STR: 0x124_GenuineIntel
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
STACK_TEXT:
fffff880`039935b0 fffff800`03912cb9 : fffffa80`11fbe8d0 fffffa80`0ca53040 00000000`00000001 00000000`00000000 : nt!WheapCreateLiveTriageDump+0x6c
fffff880`03993ad0 fffff800`037f3157 : fffffa80`11fbe8d0 fffff800`0386d2d8 fffffa80`0ca53040 00000000`00000000 : nt!WheapCreateTriageDumpFromPreviousSession+0x49
fffff880`03993b00 fffff800`0375a505 : fffff800`038ced00 00000000`00000001 00000000`00000000 fffffa80`0ca53040 : nt!WheapProcessWorkQueueItem+0x57
fffff880`03993b40 fffff800`036cfa95 : fffff880`01850400 fffff800`0375a4e0 fffffa80`0ca53000 00000000`00000000 : nt!WheapWorkQueueWorkerRoutine+0x25
fffff880`03993b70 fffff800`03964b8a : 00000000`00000000 fffffa80`0ca53040 00000000`00000080 fffffa80`0ca1a9e0 : nt!ExpWorkerThread+0x111
fffff880`03993c00 fffff800`036b78e6 : fffff880`03774180 fffffa80`0ca53040 fffff880`0377f0c0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`03993c40 00000000`00000000 : fffff880`03994000 fffff880`0398e000 fffff880`03993560 00000000`00000000 : nt!KxStartSystemThread+0x16
STACK_COMMAND: kb
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: GenuineIntel
IMAGE_NAME: GenuineIntel
DEBUG_FLR_IMAGE_TIMESTAMP: 0
IMAGE_VERSION:
FAILURE_BUCKET_ID: X64_0x124_GenuineIntel_PROCESSOR_MAE_PRV
BUCKET_ID: X64_0x124_GenuineIntel_PROCESSOR_MAE_PRV
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x124_genuineintel_processor_mae_prv
FAILURE_ID_HASH: {435e2195-e498-1e77-0526-f8d7450275e5}
Followup: MachineOwner
___
===============================================================================
Common Platform Error Record @ fffffa8011fbe8f8
-------------------------------------------------------------------------------
Record Id : 01d0683f2e8df525
Severity : Fatal (1)
Length : 928
Creator : Microsoft
Notify Type : Machine Check Exception
Timestamp : 3/27/2015 3:36:20 (UTC)
Flags : 0x00000002 PreviousError
===============================================================================
Section 0 : Processor Generic
-------------------------------------------------------------------------------
Descriptor @ fffffa8011fbe978
Section @ fffffa8011fbea50
Offset : 344
Length : 192
Flags : 0x00000001 Primary
Severity : Fatal
Proc. Type : x86/x64
Instr. Set : x64
Error Type : Micro-Architectural Error
Flags : 0x00
CPU Version : 0x00000000000306c3
Processor ID : 0x0000000000000000
===============================================================================
Section 1 : x86/x64 Processor Specific
-------------------------------------------------------------------------------
Descriptor @ fffffa8011fbe9c0
Section @ fffffa8011fbeb10
Offset : 536
Length : 128
Flags : 0x00000000
Severity : Fatal
Local APIC Id : 0x0000000000000000
CPU Id : c3 06 03 00 00 08 10 00 - ff fb fa 7f ff fb eb bf
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Proc. Info 0 @ fffffa8011fbeb10
===============================================================================
Section 2 : x86/x64 MCA
-------------------------------------------------------------------------------
Descriptor @ fffffa8011fbea08
Section @ fffffa8011fbeb90
Offset : 664
Length : 264
Flags : 0x00000000
Severity : Fatal
Error : Internal unclassified (Proc 0 Bank 1)
Status : 0xbf80000000200401
Address : 0x00000000fee00000
Misc. : 0x0000000000000086
_________________________________________________________________________
So is this indicating an issue with my CPU? I'm now worried!
By the way, the BSOD occurs on random process scans, not just the one I mentioned earlier. so that taskeng.exe is unrelated.
I did some of my own analysis:
WHEA_UNCORRECTABLE_ERROR (124)
A fatal hardware error has occurred. Parameter 1 identifies the type of error source that reported the error. Parameter 2 holds the address of the WHEA_ERROR_RECORD structure that describes the error conditon.
Arguments:
Arg1: 0000000000000000, Machine Check Exception
Arg2: fffffa8011fbe8f8, Address of the WHEA_ERROR_RECORD structure.
Arg3: 0000000000000000, High order 32-bits of the MCi_STATUS value.
Arg4: 0000000000000000, Low order 32-bits of the MCi_STATUS value.
Debugging Details:
------------------
BUGCHECK_STR: 0x124_GenuineIntel
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
STACK_TEXT:
fffff880`039935b0 fffff800`03912cb9 : fffffa80`11fbe8d0 fffffa80`0ca53040 00000000`00000001 00000000`00000000 : nt!WheapCreateLiveTriageDump+0x6c
fffff880`03993ad0 fffff800`037f3157 : fffffa80`11fbe8d0 fffff800`0386d2d8 fffffa80`0ca53040 00000000`00000000 : nt!WheapCreateTriageDumpFromPreviousSession+0x49
fffff880`03993b00 fffff800`0375a505 : fffff800`038ced00 00000000`00000001 00000000`00000000 fffffa80`0ca53040 : nt!WheapProcessWorkQueueItem+0x57
fffff880`03993b40 fffff800`036cfa95 : fffff880`01850400 fffff800`0375a4e0 fffffa80`0ca53000 00000000`00000000 : nt!WheapWorkQueueWorkerRoutine+0x25
fffff880`03993b70 fffff800`03964b8a : 00000000`00000000 fffffa80`0ca53040 00000000`00000080 fffffa80`0ca1a9e0 : nt!ExpWorkerThread+0x111
fffff880`03993c00 fffff800`036b78e6 : fffff880`03774180 fffffa80`0ca53040 fffff880`0377f0c0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`03993c40 00000000`00000000 : fffff880`03994000 fffff880`0398e000 fffff880`03993560 00000000`00000000 : nt!KxStartSystemThread+0x16
STACK_COMMAND: kb
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: GenuineIntel
IMAGE_NAME: GenuineIntel
DEBUG_FLR_IMAGE_TIMESTAMP: 0
IMAGE_VERSION:
FAILURE_BUCKET_ID: X64_0x124_GenuineIntel_PROCESSOR_MAE_PRV
BUCKET_ID: X64_0x124_GenuineIntel_PROCESSOR_MAE_PRV
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x124_genuineintel_processor_mae_prv
FAILURE_ID_HASH: {435e2195-e498-1e77-0526-f8d7450275e5}
Followup: MachineOwner
___
===============================================================================
Common Platform Error Record @ fffffa8011fbe8f8
-------------------------------------------------------------------------------
Record Id : 01d0683f2e8df525
Severity : Fatal (1)
Length : 928
Creator : Microsoft
Notify Type : Machine Check Exception
Timestamp : 3/27/2015 3:36:20 (UTC)
Flags : 0x00000002 PreviousError
===============================================================================
Section 0 : Processor Generic
-------------------------------------------------------------------------------
Descriptor @ fffffa8011fbe978
Section @ fffffa8011fbea50
Offset : 344
Length : 192
Flags : 0x00000001 Primary
Severity : Fatal
Proc. Type : x86/x64
Instr. Set : x64
Error Type : Micro-Architectural Error
Flags : 0x00
CPU Version : 0x00000000000306c3
Processor ID : 0x0000000000000000
===============================================================================
Section 1 : x86/x64 Processor Specific
-------------------------------------------------------------------------------
Descriptor @ fffffa8011fbe9c0
Section @ fffffa8011fbeb10
Offset : 536
Length : 128
Flags : 0x00000000
Severity : Fatal
Local APIC Id : 0x0000000000000000
CPU Id : c3 06 03 00 00 08 10 00 - ff fb fa 7f ff fb eb bf
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Proc. Info 0 @ fffffa8011fbeb10
===============================================================================
Section 2 : x86/x64 MCA
-------------------------------------------------------------------------------
Descriptor @ fffffa8011fbea08
Section @ fffffa8011fbeb90
Offset : 664
Length : 264
Flags : 0x00000000
Severity : Fatal
Error : Internal unclassified (Proc 0 Bank 1)
Status : 0xbf80000000200401
Address : 0x00000000fee00000
Misc. : 0x0000000000000086
_________________________________________________________________________
So is this indicating an issue with my CPU? I'm now worried!
By the way, the BSOD occurs on random process scans, not just the one I mentioned earlier. so that taskeng.exe is unrelated.
13
RogueKiller / Re: ==> Crash/Hang/Block, please come here <==
« on: June 25, 2015, 05:09:11 AM »
Hi,
I'm using 10.8.4.0, is there a later version than this?
- Thanks.
I'm using 10.8.4.0, is there a later version than this?
- Thanks.
14
RogueKiller / Re: ==> Crash/Hang/Block, please come here <==
« on: June 24, 2015, 01:27:24 AM »
Hi Curson,
Any progress with this issue at all?
Thanks,
- Natalie.
Any progress with this issue at all?
Thanks,
- Natalie.
15
RogueKiller / Re: ==> Crash/Hang/Block, please come here <==
« on: June 20, 2015, 03:54:29 AM »
Many thanks
Pages: [1] 2
