Author Topic: Trojan.Siggen6.58323 What is this....  (Read 8737 times)

0 Members and 1 Guest are viewing this topic.

April 28, 2016, 04:26:27 AM

melen

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Trojan.Siggen6.58323 What is this....
« on: April 28, 2016, 04:26:27 AM »
Hi...

Can you guys take a look and see if I have anything suspicious?

¤¤¤ Registry : 13 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y  -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Not selected
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Not selected
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Not selected

Thanks

George
Thanks

George

Reply #1April 28, 2016, 01:29:36 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Re: PUM . dns
« Reply #1 on: April 28, 2016, 01:29:36 PM »
Hi George,

Welcome to Adlice.com Forum.
Your report is clean, nothing suspicious.

Regards.

Reply #2April 29, 2016, 11:20:00 PM

melen

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Trojan.Siggen6.58323 What is this....
« Reply #2 on: April 29, 2016, 11:20:00 PM »
Hi...
I scanned yesterday and removed the Task 2 threats that are on the report but today I see that they are back. I suspect that they are part of the update app for WPS Kingsoft Office Suite. If this is true why does the description classifies then as Trojans??? I have included the scan info file:

RogueKiller V12.1.4.0 (x64) [Apr 25 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : melen [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan Aborted -- Date : 04/29/2016 17:03:03

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 13 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path|VT.Trojan.Siggen6.58323] %WINDIR%\Tasks\WpsUpdateTask_melen.job -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found
[Suspicious.Path|VT.Trojan.Siggen6.58323] \WpsUpdateTask_melen -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] f4ac79b6a1a948e74d7f9b6d0649379a
[BSP] b72eeb4ef45ede7ec6828e66fb2a6a62 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 699978 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1436628992 | Size: 13925 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

I would appreciate your help.

Thanks
George
Thanks

George

Reply #3April 29, 2016, 11:32:06 PM

melen

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Trojan.Siggen6.58323 What is this....
« Reply #3 on: April 29, 2016, 11:32:06 PM »
Hi...

I recently removed 2 supposedly  Trojan.Siggen6.58323 and I see them again. The description specifies that it belongs to WPS Kingsoft Office and it's the update app. If this is true then it should be good. You will see below the Roque Killer Scan...

                                                   ...

RogueKiller V12.1.4.0 (x64) [Apr 25 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : melen [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan Aborted -- Date : 04/29/2016 17:03:03

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 13 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path|VT.Trojan.Siggen6.58323] %WINDIR%\Tasks\WpsUpdateTask_melen.job -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found
[Suspicious.Path|VT.Trojan.Siggen6.58323] \WpsUpdateTask_melen -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] f4ac79b6a1a948e74d7f9b6d0649379a


THANK YOU very much for your service.

George
Thanks

George

Reply #4May 02, 2016, 03:36:56 AM

melen

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Re: PUM . dns
« Reply #4 on: May 02, 2016, 03:36:56 AM »
Hi...

I wonder if it's possible for you to take a look and see if I have anything that I should remove. I did submit a report recently but this a new one. It's a bit complicated for me for I am a newbie in this and don't know what I should do. I will really appreciate your help.

Thanks
George
Puerto Rico

                                              ...


RogueKiller V12.1.4.0 (x64) [Apr 25 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : melen [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 05/01/2016 21:24:01

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 11 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FontCache3.0.0.0 (%systemroot%\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1916841561-3361044600-1070738565-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/?cid=C001B2Y  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0C135B63-F0EA-4167-A9A7-38C354B576AF} | DhcpNameServer : 10.0.0.138 ([])  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] %WINDIR%\Tasks\WpsUpdateTask_melen.job -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found
[Suspicious.Path] \WpsUpdateTask_melen -- C:\Users\melen\AppData\Local\Kingsoft\WPS Office\10.1.0.5552\wtoolex\wpsupdate.exe (-from=task) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD075 +++++
--- User ---
[MBR] f4ac79b6a1a948e74d7f9b6d0649379a
[BSP] b72eeb4ef45ede7ec6828e66fb2a6a62 : HP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 699978 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1436628992 | Size: 13925 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
« Last Edit: May 02, 2016, 03:39:38 AM by melen »
Thanks

George

Reply #5May 02, 2016, 01:37:10 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Trojan.Siggen6.58323 What is this....
« Reply #5 on: May 02, 2016, 01:37:10 PM »
Hi melen,

I merged all your posts into this thread since they are addressing the same issue.
Do not post in others people threads, please.

Quote from: melen
I recently removed 2 supposedly  Trojan.Siggen6.58323 and I see them again. The description specifies that it belongs to WPS Kingsoft Office and it's the update app. If this is true then it should be good. You will see below the Roque Killer Scan...
These entries are false positives and therefore, are harmless.
This will be fixed as soon as possible.

Quote from: melen
I wonder if it's possible for you to take a look and see if I have anything that I should remove. I did submit a report recently but this a new one. It's a bit complicated for me for I am a newbie in this and don't know what I should do. I will really appreciate your help.
This report is perfectly clean.

Note : This thread has been moved to the "RogueKiller" section for clarity.

Regards.

Reply #6May 02, 2016, 03:30:49 PM

melen

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Trojan.Siggen6.58323 What is this....
« Reply #6 on: May 02, 2016, 03:30:49 PM »
Hi Curson...

 Sorry for me posting in someones post. I got carried away. I was suspecting that they where "false positives" so that's way I asked for help. Just wasn't sure. I really appreciate your valued assistance and help concerning my issue. I can see that your service is fast and on the money.

Thank you so very much
George
Puerto Rico
Thanks

George

Reply #7May 02, 2016, 03:49:50 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Trojan.Siggen6.58323 What is this....
« Reply #7 on: May 02, 2016, 03:49:50 PM »
Hi melen,

You are very welcome.
Thanks for supporting our product. :)

Regards.