[code] HitmanPro 3.7.14.265 www.hitmanpro.com Computer name . . . . : JANUSZRENESANSU Windows . . . . . . . : 6.3.0.9600.X64/4 User name . . . . . . : JanuszRenesansu\Penturion UAC . . . . . . . . . : Enabled License . . . . . . . : Free Scan date . . . . . . : 2016-05-23 18:52:25 Scan mode . . . . . . : Normal Scan duration . . . . : 4m 15s Disk access mode . . : Direct disk access (SRB) Cloud . . . . . . . . : Internet Reboot . . . . . . . : No Threats . . . . . . . : 3 Traces . . . . . . . : 14 Objects scanned . . . : 1 822 919 Files scanned . . . . : 42 629 Remnants scanned . . : 468 459 files / 1 311 831 keys Malware _____________________________________________________________________ C:\Program Files\KMSpico\AutoPico.exe Size . . . . . . . : 1 051 416 bytes Age . . . . . . . : 156.2 days (2015-12-19 13:17:06) Entropy . . . . . : 6.0 SHA-256 . . . . . : 480CA9086FD1999975C1C060A36C57A746F87E51681417D8C8B89648796F78CA Needs elevation . : Yes Product . . . . . : AutoPico RSA Key Size . . . : 1024 LanguageID . . . . : 0 Authenticode . . . : Self-signed > HitmanPro . . . . : App/KMSActiv-A Fuzzy . . . . . . : 115.0 Startup C:\Windows\system32\Tasks\AutoPico Daily Restart References C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnk C:\Program Files\KMSpico\KMSELDI.exe Size . . . . . . . : 1 175 320 bytes Age . . . . . . . : 156.2 days (2015-12-19 13:17:07) Entropy . . . . . : 6.4 SHA-256 . . . . . : B643F93A329093DA0DCDBAA7BB95233E447D04917CBA6319D96F62C1667479BF Needs elevation . : Yes Product . . . . . : KMS GUI ELDI RSA Key Size . . . : 1024 LanguageID . . . . : 0 Authenticode . . . : Self-signed > HitmanPro . . . . : App/KMSActiv-A Fuzzy . . . . . . : 115.0 References C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnk C:\Users\Penturion\AppData\Local\PunkBuster\BF3\pb\pbclold.dll Size . . . . . . . : 951 497 bytes Age . . . . . . . : 106.0 days (2016-02-07 18:11:56) Entropy . . . . . : 7.6 SHA-256 . . . . . : 43358BBCEC1EBE7927CA3B0A3DCA0597D5E8584F0FCBE987B8126A0C12D73A2B > HitmanPro . . . . : App/Punkbust-B Fuzzy . . . . . . : 129.0 Suspicious files ____________________________________________________________ C:\Users\Penturion\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys Size . . . . . . . : 140 072 bytes Age . . . . . . . : 106.0 days (2016-02-07 18:12:06) Entropy . . . . . : 7.7 SHA-256 . . . . . : CC3F4E453FC246B64C09E81BB73741CECC897C805C13815336647E986A60301E RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. The file is a device driver. Device drivers run as trusted (highly privileged) code. Program is code signed with a valid Authenticode certificate. C:\Users\Penturion\Downloads\FRST64.exe Size . . . . . . . : 2 383 360 bytes Age . . . . . . . : 0.1 days (2016-05-23 15:38:41) Entropy . . . . . : 7.6 SHA-256 . . . . . : DE49CF6D342CEAD974A1CBDF411025AA8260B51CD9C841E15719ED7909585F09 Needs elevation . : Yes Fuzzy . . . . . . : 24.0 Program has no publisher information but prompts the user for permission elevation. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Time indicates that the file appeared recently on this computer. C:\Windows\SysWOW64\GameMon.des Size . . . . . . . : 3 916 368 bytes Age . . . . . . . : 126.0 days (2016-01-18 18:29:31) Entropy . . . . . : 8.0 SHA-256 . . . . . : C2FA0CBBF038F74F8A30F86E289C09D488A36285BF6BBD45CD44C855F6696B1B Product . . . . . : nProtect Game Monitor Publisher . . . . : INCA Internet Co., Ltd. Description . . . : nProtect Game Monitor Rev 2368 Version . . . . . : 2016.1.10.1 RSA Key Size . . . : 2048 Service . . . . . : npggsvc LanguageID . . . . : 1042 Authenticode . . . : Valid Fuzzy . . . . . . : 25.0 The file name extension of this program is not common. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities. Starts automatically as a service during system bootup. Program is code signed with a valid Authenticode certificate. Startup HKLM\SYSTEM\CurrentControlSet\Services\npggsvc\ Potential Unwanted Programs _________________________________________________ HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\RndService\ (Amonetize) HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\RndService\ (Amonetize) Cookies _____________________________________________________________________ C:\Users\Penturion\AppData\Roaming\Mozilla\Firefox\Profiles\P1iPqXPm.default\cookies.sqlite:doubleclick.net C:\Users\Penturion\AppData\Roaming\Mozilla\Firefox\Profiles\P1iPqXPm.default\cookies.sqlite:www.googleadservices.com [/code]