Messages

1

RogueKiller / ESETOnlineScanner_SKY.exe proc injected - false positive or real threat?

« on: March 03, 2017, 11:09:51 PM »

Hello, I was scanning with roguekiller and received this.
Is this real or false positive? Thanks

2

RogueKiller / Re: Bios or mbr possible virus ?

« on: March 02, 2017, 04:59:39 PM »

how do I make mbr dump please?

3

RogueKiller / Bios or mbr possible virus ?

« on: March 02, 2017, 03:10:39 PM »

Hello, I would like to ask, is it possible to have mbr or bios virus?
I had a suspicion because my bios had fourth bootable device - network adapter turned o

I know I did not mess with it and after googling I found it is not usually turned on by default. my friend though installed windows first time on my pc 2 years ago and messed little bit with booting order in bios,but he said he did not touch that one. He may have, just not remember.

I reinstall my os from time to time, yesterday after finding that out I reinstalled it again, and tried scan with mbar,mbam,roguekiller,eset online scanner and aswbar.

mbar after update was not able to to start, it threw error with driver being encrypted or something, and aswbar afterwarda froze. I had to reboot.

after rebooting windows logged me with temp profile.

i tried mbar,it worked and also aswbar again, it worked as well,but I tried mbrfix in aswbar after its scan and it just threw me error. I was not able to do it for some reason.

i reinstalled windows again, just to be sure.

1. I found in RK log and aswbar log that I have unknown mbr code, is it normal?
2.Fact that I could not overwrite mbr in aswbar and windows recovery dvd command prompt indicate a virus? Or was it just normal thing.

I asked elsewhere, tried gmer, rk and eset online scanner and they said that from logs mt system is ok.
3. Would bios or mbr cirus show up if I had something like that?

thanks


 

4

RogueKiller / PUP.Divcom

« on: January 02, 2017, 02:08:55 AM »

Hello, roguekiller never found anything like that before, but now it did. I have been using malwarebytes anti rootkit for ages,just ad roguekiller and other programs.
After todays scan of roguekiller I found PUP.Divcom, I clicked to cleaned it, instead it just Killed the process. I found in mbar.exe. this is new, appeared only today ( I think after MBAR update).
Is this false positive or new? Thanks.

5

RogueKiller / Proc.injected a2start.exe

« on: October 30, 2016, 08:11:31 PM »

Hello, I freshly reinstalled my windows, just installed antivirus (emsisoft anti malware) and few other basic programs. Then I scanned computer with then, everything was ok, however, in safe mode Roguekiller found Proc.injected virus, it never ever showed before when I used roguekiller.
It found it in a2start.exe which is part of emsisoft anti malware. Is it false positive due to new version of Rogukiller (12.7.4.0) ?
If this update was released within last few days that is. One I had before, couple of days ago, found only false positive in esif_assist_64.exe in DPTF folder, but never in this one.



Started in : Safe mode with network support
User : *me *
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 10/30/2016 19:51:57 (Duration : 00:11:02)

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] a2start.exe(1672) -- C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2start.exe[7] -> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 478e7c4e91c8d2773f2b9fbd06b39929
[BSP] c8ae359b025d14eada36e181b9a83faa : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 299650 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 614402048 | Size: 653867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

6

RogueKiller / Re: False positive or legit? Esif_assist_64.exe

« on: October 28, 2016, 10:27:48 PM »

Thank you.

So I do not need to be concerned?
Has this file been tested by others and reported as suspicious?

Virus total,nor anything else found anything wrong with it. Roguekiller is only thing that found it to be suspicious. Virustotal found 0 viruses, but upon closer inspection I found expired main certificate.
 Intel (R) Software - Certificate Intel external basic issuing CA 3B.
It is expired certificate that expired on 7/15/2016.

Timestamp is however all right (which I heard it is most important?) along with other sub-certificates of the file.
There are also 2 more files in DPTF folder, something with name wwan and wlan, both have also expired first main certificate with same name while othet sub-certificates are ok.

I tried deleting folder, I cant. I tried cancelling process in task manager, I will kill process and at same moment it will start again, so it cannot be stopped.

7

RogueKiller / Re: False positive or legit? Esif_assist_64.exe

« on: October 24, 2016, 01:33:57 PM »

can plz anyone verify this to me?
I found out that file and folder was not present there after reinstall, but became once I updated windows.

8

RogueKiller / False positive or legit? Esif_assist_64.exe

« on: October 23, 2016, 12:23:24 AM »

hello, each time I run roguekiller in normal mode, it finds esif_assist_64.exe in C:/Windows/Temp/DPTF/ folder.

Detection is labeled as Suspicious.Path, and type is Process.

Each time I click on delete it does not get deleted, instead it gets "killed".

File shows up every time I boot computer and shows time of creation time I booted the computer.

Description of the file is: Intel (R) Dynamic Platform and Thermal Framework Utility Application.

File does not show up in the folder when I boot computer in safe mode, and neithet does it get detected by roguekiller. It gets detected only when I run it in normal mode.


I ran it through virustotal and it came in clean, however I checked the details and it shows all certificates as legit except the first one. Also, it specified it as a Portable execution file.

Is it legit? Thanks

9

RogueKiller / Pum.proxy 6 entries - false positive?

« on: July 14, 2016, 05:58:59 PM »

Hi guys, I had suspicion due to one video that was shared randonly on FB on one page that is there, I have automatic video launching turned off. That one video launched anyway.

I went to safe mode, scanned my computer with eset online scanner, roguekiller, mbar, mbam, spybot sd. Have not found anything. I updated roguekiller, but it did not update it for some reason, then I restarted computer, update has applied to roguekiller. I scanned my computer and found 6 entries of Pum.proxy. Is that false positive or legit? It appeared first after newest update.
Thanks, have a nice day.

10

RogueKiller / Re: PUM.dns - false positive?

« on: April 24, 2016, 09:13:08 AM »

Could anyone please tell me what am I dealing with and if I should be worried or not? Thanks

11

RogueKiller / PUM.dns - false positive?

« on: April 23, 2016, 10:35:34 PM »

Hi guys,
I have never had any problem with roguekiller that I could not get rid of. Also roguekiller never found Pum
Dns malware before. Now it did. 4 entries. I tried deleting them but roguekiller just replaced them and they were back again.
I have not found them with Mbam,Mbar,Eset Online Scanner, Avg, etc. But only roguekiller.

I decided to make back up to external HDD snd reinstall windows.
I did fresh reinstall. Deleted partitions, created new ones,formatted them and installed win. Then installes drivers,updates and my stuff to laptop from external hdd.

Did roguekiller scan and found 4 pum dns entries again.
Then I did fresh reinstall again, did not update anything or download, but only downloaded roguekiller as first thing and did scan again. I had 4 entries again.
Now i tried something again.
I did the scan,replaced them.while i was disconnected from internet. It replaced the files and when I did new scan they were not founs again.
Then I turned internet again,did scan and they reappeared.

I have questions:
1. Are they legit? My opinion is that they are, very few malware/spywares can persist through fresh reinstalls
2. I found conflicting information on internet,some claimed it is legit and some it is not.
3. Seems to reappear after turning on the internet. Stays deleted if internet is off.
4. After fresh reinstall even if I had no files from backup,updates,etc. I managed to find it with roguekiller. If it was legit, most likely it would have infected a file which i had backed up,would make more sense if ot reinfected my pc that way. But I scanned first thing after reinstallation.
5. My theory is that this appeared as false positive after recent update to roguekiller. Older versions never ever found it.

Is this please legit and safe or not? Thanks.