Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - melen

Pages: [1]
1
Malware removal help / Please see detected threats...
« on: May 09, 2017, 01:37:03 am »
Hi to all

Can you guys take a look at PUM policies and should I remove them. Before The Rogue Killer scan I ran a scan with AdwCleaner and removed  DRVAgent64 with AdwCleaner. And then scanned with RogueKiller and got what you see.




2
Hi...

Can somebody please verify if these PUM's are safe or should I remove them...


RogueKiller V12.3.6.0 (x64) [Jun 27 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : melen [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 07/03/2016 17:08:19

Processes : 0

Registry : 11
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814} (C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: TOSHIBA MQ01ABD075 +++++
--- User ---
[MBR] f4ac79b6a1a948e74d7f9b6d0649379a
[BSP] b72eeb4ef45ede7ec6828e66fb2a6a62 : HP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 699978 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1436628992 | Size: 13925 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


3
RogueKiller / Re: Trojan.Siggen6.58323 What is this....
« on: May 02, 2016, 03:30:49 pm »
Hi Curson...

 Sorry for me posting in someones post. I got carried away. I was suspecting that they where "false positives" so that's way I asked for help. Just wasn't sure. I really appreciate your valued assistance and help concerning my issue. I can see that your service is fast and on the money.

Thank you so very much
George
Puerto Rico

4
RogueKiller / Re: Re: PUM . dns
« on: May 02, 2016, 03:36:56 am »
Hi...

I wonder if it's possible for you to take a look and see if I have anything that I should remove. I did submit a report recently but this a new one. It's a bit complicated for me for I am a newbie in this and don't know what I should do. I will really appreciate your help.

Thanks
George
Puerto Rico

                                              ...


RogueKiller V12.1.4.0 (x64) [Apr 25 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : melen [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 05/01/2016 21:24:01

Processes : 0

Registry : 11
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

Tasks : 2
[Suspicious.Path] %WINDIR%\Tasks\WpsUpdateTask_melen.job -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found
[Suspicious.Path] \WpsUpdateTask_melen -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: TOSHIBA MQ01ABD075 +++++
--- User ---
[MBR] f4ac79b6a1a948e74d7f9b6d0649379a
[BSP] b72eeb4ef45ede7ec6828e66fb2a6a62 : HP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 699978 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1436628992 | Size: 13925 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

5
RogueKiller / Trojan.Siggen6.58323 What is this....
« on: April 29, 2016, 11:32:06 pm »
Hi...

I recently removed 2 supposedly  Trojan.Siggen6.58323 and I see them again. The description specifies that it belongs to WPS Kingsoft Office and it's the update app. If this is true then it should be good. You will see below the Roque Killer Scan...

                                                   ...

RogueKiller V12.1.4.0 (x64) [Apr 25 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : melen [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan Aborted -- Date : 04/29/2016 17:03:03

Processes : 0

Registry : 13
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

Tasks : 2
[Suspicious.Path|VT.Trojan.Siggen6.58323] %WINDIR%\Tasks\WpsUpdateTask_melen.job -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found
[Suspicious.Path|VT.Trojan.Siggen6.58323] \WpsUpdateTask_melen -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] f4ac79b6a1a948e74d7f9b6d0649379a


THANK YOU very much for your service.

George

6
RogueKiller / Trojan.Siggen6.58323 What is this....
« on: April 29, 2016, 11:20:00 pm »
Hi...
I scanned yesterday and removed the Task 2 threats that are on the report but today I see that they are back. I suspect that they are part of the update app for WPS Kingsoft Office Suite. If this is true why does the description classifies then as Trojans??? I have included the scan info file:

RogueKiller V12.1.4.0 (x64) [Apr 25 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : melen [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan Aborted -- Date : 04/29/2016 17:03:03

Processes : 0

Registry : 13
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

Tasks : 2
[Suspicious.Path|VT.Trojan.Siggen6.58323] %WINDIR%\Tasks\WpsUpdateTask_melen.job -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found
[Suspicious.Path|VT.Trojan.Siggen6.58323] \WpsUpdateTask_melen -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] f4ac79b6a1a948e74d7f9b6d0649379a
[BSP] b72eeb4ef45ede7ec6828e66fb2a6a62 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 699978 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1436628992 | Size: 13925 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

I would appreciate your help.

Thanks
George

7
RogueKiller / Trojan.Siggen6.58323 What is this....
« on: April 28, 2016, 04:26:27 am »
Hi...

Can you guys take a look and see if I have anything suspicious?

Registry : 13
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y  -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Not selected
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Not selected
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Not selected

Thanks

George

Pages: [1]