Author Topic: Trojan.Siggen6.58323 What is this.... (Read 8741 times)

melen · « **on:** April 28, 2016, 04:26:27 AM »

Hi...

Can you guys take a look and see if I have anything suspicious?

¤¤¤ Registry : 13 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([]) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([]) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([]) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([]) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([]) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([]) -> Not selected
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Not selected
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Not selected

Thanks

George

Curson · « **Reply #1 on:** April 28, 2016, 01:29:36 PM »

Hi George,

Welcome to Adlice.com Forum.
Your report is clean, nothing suspicious.

Regards.

melen · « **Reply #2 on:** April 29, 2016, 11:20:00 PM »

Hi...
I scanned yesterday and removed the Task 2 threats that are on the report but today I see that they are back. I suspect that they are part of the update app for WPS Kingsoft Office Suite. If this is true why does the description classifies then as Trojans??? I have included the scan info file:

RogueKiller V12.1.4.0 (x64) [Apr 25 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : melen [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan Aborted -- Date : 04/29/2016 17:03:03

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 13 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path|VT.Trojan.Siggen6.58323] %WINDIR%\Tasks\WpsUpdateTask_melen.job -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found
[Suspicious.Path|VT.Trojan.Siggen6.58323] \WpsUpdateTask_melen -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] f4ac79b6a1a948e74d7f9b6d0649379a
[BSP] b72eeb4ef45ede7ec6828e66fb2a6a62 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 699978 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1436628992 | Size: 13925 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

I would appreciate your help.

Thanks
George

melen · « **Reply #3 on:** April 29, 2016, 11:32:06 PM »

Hi...

I recently removed 2 supposedly Trojan.Siggen6.58323 and I see them again. The description specifies that it belongs to WPS Kingsoft Office and it's the update app. If this is true then it should be good. You will see below the Roque Killer Scan...

...

RogueKiller V12.1.4.0 (x64) [Apr 25 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : melen [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan Aborted -- Date : 04/29/2016 17:03:03

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 13 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path|VT.Trojan.Siggen6.58323] %WINDIR%\Tasks\WpsUpdateTask_melen.job -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found
[Suspicious.Path|VT.Trojan.Siggen6.58323] \WpsUpdateTask_melen -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] f4ac79b6a1a948e74d7f9b6d0649379a

THANK YOU very much for your service.

George

melen · « **Reply #4 on:** May 02, 2016, 03:36:56 AM »

Hi...

I wonder if it's possible for you to take a look and see if I have anything that I should remove. I did submit a report recently but this a new one. It's a bit complicated for me for I am a newbie in this and don't know what I should do. I will really appreciate your help.

Thanks
George
Puerto Rico

...

RogueKiller V12.1.4.0 (x64) [Apr 25 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : melen [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 05/01/2016 21:24:01

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 11 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([]) -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] %WINDIR%\Tasks\WpsUpdateTask_melen.job -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found
[Suspicious.Path] \WpsUpdateTask_melen -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD075 +++++
--- User ---
[MBR] f4ac79b6a1a948e74d7f9b6d0649379a
[BSP] b72eeb4ef45ede7ec6828e66fb2a6a62 : HP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 699978 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1436628992 | Size: 13925 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Curson · « **Reply #5 on:** May 02, 2016, 01:37:10 PM »

Hi melen,

I merged all your posts into this thread since they are addressing the same issue.
Do not post in others people threads, please.

Quote from: melen

I recently removed 2 supposedly Trojan.Siggen6.58323 and I see them again. The description specifies that it belongs to WPS Kingsoft Office and it's the update app. If this is true then it should be good. You will see below the Roque Killer Scan...

These entries are false positives and therefore, are harmless.
This will be fixed as soon as possible.

Quote from: melen

I wonder if it's possible for you to take a look and see if I have anything that I should remove. I did submit a report recently but this a new one. It's a bit complicated for me for I am a newbie in this and don't know what I should do. I will really appreciate your help.

This report is perfectly clean.

Note : This thread has been moved to the "RogueKiller" section for clarity.

Regards.

melen · « **Reply #6 on:** May 02, 2016, 03:30:49 PM »

Hi Curson...

Sorry for me posting in someones post. I got carried away. I was suspecting that they where "false positives" so that's way I asked for help. Just wasn't sure. I really appreciate your valued assistance and help concerning my issue. I can see that your service is fast and on the money.

Thank you so very much
George
Puerto Rico

Curson · « **Reply #7 on:** May 02, 2016, 03:49:50 PM »

Hi melen,

You are very welcome.
Thanks for supporting our product.

Regards.

Author Topic: Trojan.Siggen6.58323 What is this.... (Read 8741 times)

melen

Trojan.Siggen6.58323 What is this....

Curson

Re: Re: PUM . dns

melen

Trojan.Siggen6.58323 What is this....

melen

Trojan.Siggen6.58323 What is this....

melen

Re: Re: PUM . dns

Curson

Re: Trojan.Siggen6.58323 What is this....

melen

Re: Trojan.Siggen6.58323 What is this....

Curson

Re: Trojan.Siggen6.58323 What is this....