Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Roguekiller Avast FP?


  • Please log in to reply
17 replies to this topic

#1 diaz209

diaz209

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jamaica
  • Local time:09:47 AM

Posted 24 November 2013 - 01:17 AM

Ran roguekiller on my Mom's PC and got this registry value

 

[RUN][ROGUE ST] HKLM\[...]\Wow6432Node\[...]\Run : 20131121 (C:\Program Files\AVAST Software\Avast\setup\emupdate\2c03b834-1fcc-408f-89de-d3183dcdaec0.exe /check) -> [0x5] Access is denied.

 

and if i try to removed it i get access is denied (even as admin)

is this a False Positive?


Edited by diaz209, 24 November 2013 - 01:18 AM.


BC AdBot (Login to Remove)

 


#2 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:08:47 AM

Posted 24 November 2013 - 09:48 AM

Avast Emergency Updater...Avast Update brings Emergency Updater and SiteCorrect features

 

Emergency Updater is the first new feature that is integrated in all three versions of Avast.  It has been designed for situations where the Avast updater is not working properly anymore. In the past, this meant that Avast users to to reinstall the whole program to get the updater to work again. With the Emergency Updater integrated into Avast, it is now possible to push updates even if the default Avast Service is not working anymore.

 

Avast users who have updated to the new version should see the avast! Emergency Update task in the Windows Task Scheduler. The task is triggered during log on of a user, and once daily, and does not need to be launched manually (even though it may be possible, it is located in C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe). This feature is a useful addition to the program, especially for users who already were in the situation where Avast would not update automatically anymore.

 

What is Avast Emergency Updater and why is it in my scheduled tasks? http://forum.avast.com/index.php?topic=100291.0

 

Avast1.png

 

 

 

 


Edited by Union_Thug, 24 November 2013 - 09:49 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,088 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 AM

Posted 24 November 2013 - 01:54 PM

avast! may have been attempting to run the Emergency Updater when you performed your scan with Roguekiller.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:47 PM

Posted 24 November 2013 - 02:05 PM

avast! may have been attempting to run the Emergency Updater when you performed your scan with Roguekiller.

No, it's reporting the run value from the registry (I also have Avast and roguekiller reported it too). It's likely a false positive as it believes it's part of rogue security program.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,088 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 AM

Posted 24 November 2013 - 02:20 PM

I see...I thought avast added the run value when the updater kicked in.

I don't use avast on a regular basis but its installed on my wife and daughter's machine. I just checked and sure enough there is a run entry.

Learned something new. Either way, I agree its a FP.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:47 PM

Posted 24 November 2013 - 02:31 PM

 

I see...I thought avast added the run value when the updater kicked in.

I don't use avast on a regular basis but its installed on my wife and daughter's machine. I just checked and sure enough there is a run entry.

Learned something new. Either way, I agree its a FP.

No, it was part of an update I believe, Scotty alerted me on both my laptop and family desktop at pretty much the same time.

 

Indeed, there is always much to be learnt, and fwiw it wouldn't make much sense to keep adding the run value since it's set to run on log in and stay loaded to counteract updating problems.

 

Should this be reported?

 

xXToffeeXx~


Edited by xXToffeeXx, 24 November 2013 - 02:32 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,088 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 AM

Posted 24 November 2013 - 02:36 PM

If it was part of an update...I didn't see that, just the run entry. Although in the past she (my wife) did tell me Scotty had alerted her to one of these emerg updates.

It wouldn't hurt to report it and confirm what's going on.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:47 PM

Posted 24 November 2013 - 03:06 PM

Well the link (by Union_Thug) says it was part of an update. Might have been a silent one as I didn't see an update either, but guessed it was part of one.

 

Reported via the facebook page with a link to this topic.


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,088 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 AM

Posted 24 November 2013 - 03:09 PM

:thumbup2:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,088 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 AM

Posted 24 November 2013 - 07:21 PM

It seems like a number of users have reported this issue at the avast forums.

5 page topic: Emergency Update 2013-11-21?

If you do a search, there are a lot more topics.

No official explanation yet unless I missed it in one of those other topics...I did not read them all.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:47 PM

Posted 25 November 2013 - 11:44 AM

Here's what RogueKiller said in reply:

Will add this to the whitelist. BTW it was detected as rogue because of the run key name with only numbers. I think we'll remove that heuristic detection for good since no rogue use that anymore.

 

You are quite right on that there is no official topics, one of the global moderators does confirm it is meant to be like that however.

It's happened before this Emergency Updater, I think if Avast explained it and what it is was then people wouldn't get so confused. I believe it's meant to be something silent in the background though and hence why they perhaps haven't brought attention to it.

 

SAS also detects the run key, it does look very suspicious with the random numbers. That I do agree.

 

xXToffeeXx~


Edited by xXToffeeXx, 25 November 2013 - 11:44 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 diaz209

diaz209
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jamaica
  • Local time:09:47 AM

Posted 25 November 2013 - 05:08 PM

Seem to be related to this too, superantispyware detected:

 
Trojan.Agent/Gen
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#20131121
 
around the same time other had the avast emuupdate
 
and
 
this was found on all the pc that ran SAS and avast


#13 Pentodes

Pentodes

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 25 November 2013 - 05:51 PM

First of all I tried to stop emergency update, I deleted the start up entry with Crap Cleaner, but first you have to dis-able Avast 'self defense module'.

 

Sure, with the module enable it wasn't there, but disable the defense module it was, so I let Crap Cleaner delete it then I rebooted and guess what....? Sure as heck the start up entry was gone but I still got the Emergency update kicking off -  this wasn't a game I was about to lose.

 

I searched for the emergency.exe  using windows search.... I found the .exe file, looked like the yellow splash icon and deleted it completely - no more interference at boot up, yeah, yeah I know I shouldn't but I did.

 

What else are Avast shoving down our throats?, I mean not long ago they were letting Google Chrome install itself, then there's the VPN bug that looks like an advert when you booted up and now this?  Every time you open Avast GUI I don't like the idea of  Google being contacted.

 

So time I started look elsewhere for a new  AV Avast I've had enough off, I've still got best part of 6 months left on my subscription.

 

Talking about bugs and hiccups, what are the beta testers doing for goodness sake? I got a sneaky feeling.... I did say sneaky we are being used as beta testers that's why I deleted the .exe file.

 

Do yourself a favor ask 'what the latest emergency update was, what did it do".... one or two asked on the Avast forum and no answer was the stern reply!

 

So if you wanna try deleting any Avast start up files, you need to disable the defense module first in Avast GUI. Gee, Avast is that buggy there needs to be emergency updates every five minutes...!

 

Dave


Edited by Pentodes, 25 November 2013 - 05:54 PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,088 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 AM

Posted 26 November 2013 - 08:53 AM

I think if Avast explained it and what it is was then people wouldn't get so confused.

I totally agree with that. It should not be up to volunteers here or at avast to use speculation to address questions related to an issue being reported by some many users. This is poor customer service and contributes to bad press which pushes potential customers toward other alternatives.
 

First of all I tried to stop emergency update, I deleted the start up entry with Crap Cleaner, but first you have to dis-able Avast 'self defense module'.

I wouldn't advise folks to do that. Instead I would recommend just ignoring the startup detection like any other FP since we know it is not malicious. Although we are not certain exactly what avast is up to with all this, the Emergency Updater is an important and useful feature when circumstances require its use. Attempting to defeat it for the sake of it not be detected during a scan may result in regret if the Emerg Updater is not working when needed to do the job it was intended to do.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Pentodes

Pentodes

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 26 November 2013 - 02:38 PM

Bleepin' Janitor

 

I can understand your point but I elected to ignore the fact because I was getting sick to death of the bugs, Google 'sometimes' being forced up on you with NO option (yes, that's right NO option) either during updates or reinstall, I was tired of the VPN bug that kept cropping up for 20 seconds at boot up it isn't adverts as some people think but a bug.

 

You would think the beta testers would provide a better show - they are getting worse!

 

Explain these-:

I disabled Avast defense module and dis-abled the start up file in msconfig.... no joy so I removed the .exe start up file no joy, odd don't you think?

 

The more servers you block the more what comes back at you, I un-installed Avast today and used another AV - no names no flame wars OK!

 

I can tell you this, the computer is much more responsive and Privacy Guardian (yeah, yeah it's old as Adam) cleaned about 30-35 bits of crap.... uninstall Avast install another, guess what? there's only 10 files that it cleans so what the heck was it cleaning - the sewers?

 

I advise anyone always keep a cloned copy of the hard drive.... even if you are on a laptop - clone it! I learned that trick when Norton give me grief, the old Norton before Symantec.

 

I do feel that Avast is using it's users as beta testers, don't give two hoots if I'm right or if I'm wrong I just don't trust em anymore, folks are still wanting to know what these updates actually do  and what they actually fix - why is it secretive, just what is going on?

 

If an AV is that good why are there so many bugs, BSOD's black screens of death?

 

I was still waiting to hear from two tickets one I submitted two months ago the other I submitted last week - no answer, anyway it doesn't matter now.... but some of their 'forum helpers' could do with learning some manners and take some lessons in how to treat people.

 

You can tell a good AV from it's forum.

 

Dave


Edited by Pentodes, 26 November 2013 - 02:43 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users