[code] HitmanPro 3.7.9.240 www.hitmanpro.com Computer name . . . . : SAMSUNG-SAMSUNG Windows . . . . . . . : 6.1.1.7601.X64/2 User name . . . . . . : SAMSUNG-SAMSUNG\samsung UAC . . . . . . . . . : Enabled License . . . . . . . : Free Scan date . . . . . . : 2015-04-16 15:26:34 Scan mode . . . . . . : Normal Scan duration . . . . : 6m 25s Disk access mode . . : Direct disk access (SRB) Cloud . . . . . . . . : Internet Reboot . . . . . . . : No Threats . . . . . . . : 1 Traces . . . . . . . : 20 Objects scanned . . . : 1 599 396 Files scanned . . . . : 40 290 Remnants scanned . . : 415 517 files / 1 143 589 keys Malware _____________________________________________________________________ C:\Users\samsung\Desktop\Programiki [RÓŻNIASTE]\tatowy\MIO_350_w\MIO P350 user guide provided through pdfretriever.com.exe Size . . . . . . . : 707 736 bytes Age . . . . . . . : 342.5 days (2014-05-09 03:56:42) Entropy . . . . . : 7.9 SHA-256 . . . . . : 848ABCEDD4E70D835C3AB3E040C2D04B48D3C710116309B142B704D6EFA04DBF Product . . . . . : Interactive Install Publisher . . . . : Live Soft Action S.R.L. Description . . . : Interactive Install Version . . . . . : 1.0.11.0 Copyright . . . . : (c) Live Soft Action S.R.L. All rights reserved. RSA Key Size . . . : 2048 LanguageID . . . . : 1033 Authenticode . . . : Valid > Bitdefender . . . : Application.Generic.1055055 Fuzzy . . . . . . : 101.0 Suspicious files ____________________________________________________________ C:\Users\samsung\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LW6S0LI\FRST64[1].exe Size . . . . . . . : 2 097 664 bytes Age . . . . . . . : 0.1 days (2015-04-16 13:22:04) Entropy . . . . . : 7.5 SHA-256 . . . . . : 5E25CB59ECC2FC8A9B2B8E852A4FF11621595BA5613AD601AF63742D7EAA3353 Needs elevation . : Yes Fuzzy . . . . . . : 24.0 Program has no publisher information but prompts the user for permission elevation. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Time indicates that the file appeared recently on this computer. Forensic Cluster -0.2s C:\Users\samsung\AppData\Roaming\Microsoft\Windows\Cookies\6MSZZ8O0.txt -0.2s C:\Users\samsung\AppData\Roaming\Microsoft\Windows\Cookies\M6JJ6ZI4.txt -0.2s C:\Users\samsung\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LW6S0LI\82[1].htm 0.0s C:\Users\samsung\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LW6S0LI\FRST64[1].exe C:\Users\samsung\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll Size . . . . . . . : 963 480 bytes Age . . . . . . . : 318.7 days (2014-06-01 21:49:26) Entropy . . . . . : 7.6 SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. Program is code signed with a valid Authenticode certificate. C:\Users\samsung\AppData\Local\PunkBuster\BF3\pb\pbcl.dll Size . . . . . . . : 963 480 bytes Age . . . . . . . : 318.7 days (2014-06-01 21:49:26) Entropy . . . . . : 7.6 SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. Program is code signed with a valid Authenticode certificate. C:\Users\samsung\AppData\Local\PunkBuster\BF3\pb\pbclold.dll Size . . . . . . . : 951 497 bytes Age . . . . . . . : 318.7 days (2014-06-01 21:44:29) Entropy . . . . . : 7.6 SHA-256 . . . . . : 43358BBCEC1EBE7927CA3B0A3DCA0597D5E8584F0FCBE987B8126A0C12D73A2B Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\samsung\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys Size . . . . . . . : 140 072 bytes Age . . . . . . . : 318.7 days (2014-06-01 21:44:41) Entropy . . . . . : 7.7 SHA-256 . . . . . : CC3F4E453FC246B64C09E81BB73741CECC897C805C13815336647E986A60301E RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. The file is a device driver. Device drivers run as trusted (highly privileged) code. Program is code signed with a valid Authenticode certificate. Potential Unwanted Programs _________________________________________________ HKU\S-1-5-21-4209209786-2917733824-1122995674-1000\Software\AppDataLow\Software\Conduit\ (Conduit) HKU\S-1-5-21-4209209786-2917733824-1122995674-1000_Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}\ (Yontoo) HKU\S-1-5-21-4209209786-2917733824-1122995674-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975} (Claro) HKU\S-1-5-21-4209209786-2917733824-1122995674-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{98889811-442D-49DD-99D7-DC866BE87DBC} (Claro) HKU\S-1-5-21-4209209786-2917733824-1122995674-1001\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectNewTabPageShow (22Find) HKU\S-1-5-21-4209209786-2917733824-1122995674-1001\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectShowTabsWelcome (22Find) HKU\S-1-5-21-4209209786-2917733824-1122995674-1001_Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}\ (Yontoo) Cookies _____________________________________________________________________ C:\Users\samsung\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.adocean.pl C:\Users\samsung\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com C:\Users\samsung\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com C:\Users\samsung\AppData\Local\Google\Chrome\User Data\Default\Cookies:diff3.smartadserver.com C:\Users\samsung\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net C:\Users\samsung\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com C:\Users\samsung\AppData\Local\Google\Chrome\User Data\Default\Cookies:smartadserver.com [/code]