False positive? Botnet reported coming from Roguekiller antimalware

Hello, this has never ever happened to me, but I randomly received a Botnet report/threat secured from Avast, reported that it was coming from Roguekiller antimalware. I have it installed as an antimalware program. Is this a false positive? I suppose it is.
I am uploading a screenshot from Avast.
My current Avast version is 23.9.6082 - build 23.9.8494.798 and virus definitions are 231019-6.

Edit: I updated avast to newer version/build, and I still keep getting these reports. I started getting them only today for the first time. I even updated Roguekiller to newer version and I still get them. Reported as bad file is either Roguekiller64.exe or RogueKillerSvc.exe.
What I suspect is that I get these reports because of the Ads for upgrading the Roguekiller to Roguekiller premium that pop up here and there, so instead of that pop up I get this Avast report today. That is my theory only.

Edit2: Same thing happens on another computer on same network, exactly same IP is being reported and also botnet. Another computer too has Roguekiller and Avast installed. Too for the first time.

Edit 3: What triggers this sometimes is Clicking on “Check for Updates” button on Roguekiller, and sometimes this threat pops up when running a scan. Also it happens randomly when not doing anything.

Edit 4: Same thing happened on completely new third computer on same network. I installed avast, malwarebytes yesterday and it was ok. Today, just to verify whether it will pop up on third one, I also installed Roguekiller for the first time there, and the moment installation finished and program launched, the same thing popped up on Avast.

I’m none too surprised, given what Roguekiller does that avast finds it suspect.

A bit like two dogs fighting over one bone, other security based programs can conflict at times by what they do and how they go about it.

I have never used Roguekiller but then again I follow the advice not to install two active anti-malware/virus programs as there are occasions that they are likely to or will come into conflict. The tcp connection and how it works may be what Avast doesn’t like.

I have used both for at least 7 years and never had any such problem. I did have occasional false positives on both sides, but always regarding something completely different and never regarding one another I think (or maaaaaybe once regarding Avast)

I find both programs very useful for what they do, but I do find these Avast reports weird.

Could it be Roguekillers pop up windows regarding update to Roguekiller Premium? Or maybe Roguekiller does some automatic searches for new updates at certain times and that is what causes these Avast reports?

That fact that you haven’t had much in the way of false positives, that doesn’t mean they won’t happen or it takes more time to investigate things like this.

Your image is based on Avast not liking the connection to the TCP IP address and I can’t guess if it might be pop-up add/promotion related. However the specific IP appears to be related to CloudFlare.

Thank you :).

  1. What is CloudFlare and what is it in antimalware programs used for?
  2. Do antimalware programs use it for updates for Virus Definitions?
  3. Based on what you found out, could this be safe then and a false positive?

What is google :wink:

Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, and ICANN-accredited domain ...

The problem is what may be hosted/managed/delivered may not necessarily be benign.

I simply can’t comment on what the intent is, I have no idea why Roguekiller would be connecting to that IP address and using a TCP connection.

  1. So, is there absolutely no way from Avasts side to verify whether this is false positive or not?
  2. Could Roguekiller have been infected with something and that is why it is making these connections or are these connections normal? - Thing is, I scanned my computer yesterday with Mbar, malwarebytes,avast, and it found no infection.
  3. Are Cloudflare connections normal/common for antimalware programs?
  4. Would uninstalling Roguekiller be enough to solve and remove the problem ?
  5. Where should I go from here?

Edit: Same thing happens on another computer on same network, exactly same IP is being reported and also botnet. Another computer too has Roguekiller and Avast installed. Too for the first time.

Edit 2: What triggers this sometimes is Clicking on “Check for Updates” button on Roguekiller, and sometimes this threat pops up when running a scan. Also it happens randomly when not doing anything.

Edit 3: Same thing happened on completely new third computer on same network. I installed avast, malwarebytes yesterday and it was ok. Today, just to verify whether it will pop up on third one, I also installed Roguekiller for the first time there, and the moment installation finished and program launched, the same thing popped up on Avast.

  • I think this could rule out Roguekiller getting infected with something, UNLESS the official upload on official website itself was infected. I think there is something wrong with the previous and current version of Roguekiller, they might have changed IP it connects to when searching for new updates, etc., or they masked it badly so Avast finds this suspicious?

  • can you/anyone replicate this by running Avast and Roguekiller at the same time and perhaps doing scans, updates etc while both are running at the same time?

Thank you

https://www.abuseipdb.com/check/188.114.96.9

Website says that IP is not blacklisted but whitelisted, so it comes from credible sources (like microsoft,etc.), but then again IP was reported for bad stuff as well.

So is there any conclusive answer, is it safe or not? If it was not, it would be blacklisted, right?

Is it common for legit IPs to be reported for bad stuff as well or not?

https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438