[code] HitmanPro 3.7.15.281 www.hitmanpro.com Computer name . . . . : DOMOWNICYPC Windows . . . . . . . : 6.1.1.7601.X64/4 User name . . . . . . : DomownicyPC\Domownicy UAC . . . . . . . . . : Enabled License . . . . . . . : Free Scan date . . . . . . : 2016-12-03 21:47:39 Scan mode . . . . . . : Normal Scan duration . . . . : 12m 32s Disk access mode . . : Direct disk access (SRB) Cloud . . . . . . . . : Internet Reboot . . . . . . . : No Threats . . . . . . . : 2 Traces . . . . . . . : 74 Objects scanned . . . : 2 380 264 Files scanned . . . . : 100 298 Remnants scanned . . : 600 046 files / 1 679 920 keys Miniport ____________________________________________________________________ Primary DriverObject . . . : FFFFFA8007746060 DriverName . . . . : \Driver\nvstor64 DriverPath . . . . : \SystemRoot\system32\DRIVERS\nvstor64.sys StartIo . . . . . : 0000000000000000 +0 IRP_MJ_SCSI . . . : FFFFFA8006E2D2C0 +0 Solution DriverObject . . . : FFFFFA8007746060 DriverName . . . . : \Driver\nvstor64 DriverPath . . . . : \SystemRoot\system32\DRIVERS\nvstor64.sys StartIo . . . . . : 0000000000000000 +0 IRP_MJ_SCSI . . . : FFFFF88000E2C6C0 \SystemRoot\system32\drivers\storport.sys+5824 Malware _____________________________________________________________________ C:\ProgramData\InstallMate\{4FCB4500-24E0-4C2A-AEC1-6CC2942867F6}\_Setupx.dll Size . . . . . . . : 54 272 bytes Age . . . . . . . : 1421.2 days (2013-01-12 17:32:46) Entropy . . . . . : 6.5 SHA-256 . . . . . : 6C2EF1A85B6CBE3993484AF3A631C86D425279620B3C02593BF8364C8BCA8318 > Kaspersky . . . . : not-a-virus:HEUR:Downloader.Win32.AdLoad.u Fuzzy . . . . . . : 106.0 C:\Users\Domownicy\AppData\Local\PunkBuster\WF\pb\pbcl.dll Size . . . . . . . : 951 565 bytes Age . . . . . . . : 473.3 days (2015-08-18 14:04:45) Entropy . . . . . : 7.6 SHA-256 . . . . . : 28FDCBC64DEB82D8A64A4770F2B616CE5E95B4751BBE6FA459DD2B64A12298CF > HitmanPro . . . . : App/Punkbust-B Fuzzy . . . . . . : 129.0 Suspicious files ____________________________________________________________ C:\Users\Domownicy\AppData\Local\PunkBuster\BF3\pb\pbcl.dll Size . . . . . . . : 951 497 bytes Age . . . . . . . : 1294.4 days (2013-05-19 13:01:10) Entropy . . . . . : 7.6 SHA-256 . . . . . : 43358BBCEC1EBE7927CA3B0A3DCA0597D5E8584F0FCBE987B8126A0C12D73A2B Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Domownicy\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys Size . . . . . . . : 140 072 bytes Age . . . . . . . : 1294.4 days (2013-05-19 13:01:21) Entropy . . . . . : 7.7 SHA-256 . . . . . : CC3F4E453FC246B64C09E81BB73741CECC897C805C13815336647E986A60301E RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. The file is a device driver. Device drivers run as trusted (highly privileged) code. Program is code signed with a valid Authenticode certificate. C:\Users\Domownicy\AppData\Local\PunkBuster\BFP4F\pb\pbcl.dll Size . . . . . . . : 915 149 bytes Age . . . . . . . : 760.2 days (2014-11-04 17:06:12) Entropy . . . . . : 7.6 SHA-256 . . . . . : E189EF452F559BFAC0C0A91EFADC78EAA569B915985A213F99666BE56FC86165 Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Domownicy\AppData\Local\PunkBuster\BFP4F\pb\PnkBstrK.sys Size . . . . . . . : 138 264 bytes Age . . . . . . . : 760.2 days (2014-11-04 17:08:08) Entropy . . . . . : 7.7 SHA-256 . . . . . : 4194EFFC7236F018722B6DBF76253E1D833FEEEC158835C4DFAAD0555E7A7D91 RSA Key Size . . . : 1024 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. The file is a device driver. Device drivers run as trusted (highly privileged) code. Program is code signed with a valid Authenticode certificate. C:\Users\Domownicy\AppData\Local\PunkBuster\FC3\pb\pbcl.dll Size . . . . . . . : 953 886 bytes Age . . . . . . . : 1305.3 days (2013-05-08 14:20:06) Entropy . . . . . : 7.6 SHA-256 . . . . . : 6D5E2CD4A7A43EB00B600BA783AD3BEE6B817C030A40600D40367173A6ECEB13 Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Domownicy\AppData\Local\PunkBuster\FC3\pb\pbcls.dll Size . . . . . . . : 953 886 bytes Age . . . . . . . : 1460.2 days (2012-12-04 17:49:26) Entropy . . . . . : 7.6 SHA-256 . . . . . : 6D5E2CD4A7A43EB00B600BA783AD3BEE6B817C030A40600D40367173A6ECEB13 Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Domownicy\AppData\Local\PunkBuster\FC3\pb\PnkBstrK.sys Size . . . . . . . : 138 032 bytes Age . . . . . . . : 901.2 days (2014-06-16 17:23:42) Entropy . . . . . : 7.8 SHA-256 . . . . . : ABAF3FACF01E10E4C685F79C3B9E5D2118B3CF8629C4277EBE035B2A10474148 RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. The file is a device driver. Device drivers run as trusted (highly privileged) code. Program is code signed with a valid Authenticode certificate. C:\Users\Domownicy\AppData\Local\PunkBuster\GRFS\pb\PnkBstrK.sys Size . . . . . . . : 139 848 bytes Age . . . . . . . : 1508.4 days (2012-10-17 12:35:12) Entropy . . . . . : 7.8 SHA-256 . . . . . : 7A061E451FE366FDBAAAEAAA4BE58954AAE5017D51B520629312712B7438C0E2 RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. The file is a device driver. Device drivers run as trusted (highly privileged) code. Program is code signed with a valid Authenticode certificate. C:\Users\Domownicy\AppData\Local\PunkBuster\HOS\pb\pbcl.dll Size . . . . . . . : 951 877 bytes Age . . . . . . . : 947.5 days (2014-05-01 10:05:43) Entropy . . . . . : 7.6 SHA-256 . . . . . : 833CB80463E9181DBCC24242B392B70E6E80DD72A07B79727AB9936FCADEDD2A Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Domownicy\AppData\Local\PunkBuster\HOS\pb\pbclold.dll Size . . . . . . . : 951 877 bytes Age . . . . . . . : 948.4 days (2014-04-30 12:11:40) Entropy . . . . . : 7.6 SHA-256 . . . . . : 833CB80463E9181DBCC24242B392B70E6E80DD72A07B79727AB9936FCADEDD2A Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Domownicy\AppData\Local\PunkBuster\HOS\pb\PnkBstrK.sys Size . . . . . . . : 139 112 bytes Age . . . . . . . : 948.4 days (2014-04-30 12:11:52) Entropy . . . . . : 7.7 SHA-256 . . . . . : 22A0F36A4E6891CDCFDF3460A19285662D017B02266D5D9A7EED43CF74B0A39A RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. The file is a device driver. Device drivers run as trusted (highly privileged) code. Program is code signed with a valid Authenticode certificate. C:\Users\Domownicy\AppData\Local\PunkBuster\TWZ\pb\pbcl.dll Size . . . . . . . : 964 936 bytes Age . . . . . . . : 1084.3 days (2013-12-15 14:30:36) Entropy . . . . . : 7.6 SHA-256 . . . . . : 4B79C9E2ED01AF93CE240F235DB266B9276F6EEB9497D341B2CC04B7B640B3AE RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. Program is code signed with a valid Authenticode certificate. C:\Users\Domownicy\AppData\Local\PunkBuster\TWZ\pb\PnkBstrK.sys Size . . . . . . . : 139 528 bytes Age . . . . . . . : 1084.3 days (2013-12-15 14:30:45) Entropy . . . . . : 7.7 SHA-256 . . . . . : C2657515354653B5A7C17F3F9CA4B5F97B9442C976F5A9FC9A5FDB8A7392138E RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. The file is a device driver. Device drivers run as trusted (highly privileged) code. Program is code signed with a valid Authenticode certificate. C:\Users\Domownicy\AppData\Local\PunkBuster\WF\pb\PnkBstrK.sys Size . . . . . . . : 139 128 bytes Age . . . . . . . : 473.3 days (2015-08-18 14:04:55) Entropy . . . . . : 7.7 SHA-256 . . . . . : DD1DC609F49E1D61C5269CEBAA7603EFD9BDD5234A3D1C46A2F34EE637A6061D RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. The file is a device driver. Device drivers run as trusted (highly privileged) code. Program is code signed with a valid Authenticode certificate. C:\Users\Domownicy\AppData\Roaming\Ubisoft\Tom Clancy's Ghost Recon Future Soldier\pb\pbcl.dll Size . . . . . . . : 953 993 bytes Age . . . . . . . : 1508.4 days (2012-10-17 12:30:25) Entropy . . . . . : 7.6 SHA-256 . . . . . : 6FC627EACC159ED0684AAB2E1A7E576605FE3E721D5FC4A2CE2ABC2E389E986E Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Domownicy\AppData\Roaming\Ubisoft\Tom Clancy's Ghost Recon Future Soldier\pb\pbcls.dll Size . . . . . . . : 953 993 bytes Age . . . . . . . : 1508.4 days (2012-10-17 12:30:26) Entropy . . . . . : 7.6 SHA-256 . . . . . : 6FC627EACC159ED0684AAB2E1A7E576605FE3E721D5FC4A2CE2ABC2E389E986E Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. Potential Unwanted Programs _________________________________________________ HKLM\SOFTWARE\Classes\CLSID\{A07E5BFF-B16C-4ABA-A30F-514213A945E6}\ (ClearThink) HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\ (ReimageRepair) HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ (ReimageRepair) HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011341191}\ (VidSaver) HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011341191}\ (VidSaver) HKU\.DEFAULT\Software\IM\ (Sweetpacks) HKU\S-1-5-18\Software\IM\ (Sweetpacks) HKU\S-1-5-21-602431875-597888983-1884708297-1000\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ (UniDeals) HKU\S-1-5-21-602431875-597888983-1884708297-1000\Software\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ (UniDeals) HKU\S-1-5-21-602431875-597888983-1884708297-1000\Software\Microsoft\Installer\UpgradeCodes\5E8031606EB60A64C882918F8FF38DD4\ (FLV Player) HKU\S-1-5-21-602431875-597888983-1884708297-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}\ (AskBar) HKU\S-1-5-21-602431875-597888983-1884708297-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files (x86)\Mobogenie\ (Rocketfuel) HKU\S-1-5-21-602431875-597888983-1884708297-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QSqlDriverFactoryInterface:\C:\Program Files (x86)\Mobogenie\ (Rocketfuel) HKU\S-1-5-21-602431875-597888983-1884708297-1000\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\C:\Program Files (x86)\Mobogenie\ (Rocketfuel) HKU\S-1-5-21-602431875-597888983-1884708297-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ (UniDeals) HKU\S-1-5-21-602431875-597888983-1884708297-1000_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ (UniDeals) Cookies _____________________________________________________________________ C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.directrev.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:addthis.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:adnxs.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.kasyno.pl C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:agkn.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:bluekai.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:cdn.taboola.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:crwdcntrl.net C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:demdex.net C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:dotomi.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:dpm.demdex.net C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:engine.phn.doublepimp.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:fr.sitestat.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:imrworldwide.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:krxd.net C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:liverail.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:mathtag.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:ml314.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:pagefair.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:rfihub.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:rlcdn.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:scorecardresearch.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:stat.4u.pl C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:taboola.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:trc.taboola.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:visualdna.com C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:w55c.net C:\Users\Domownicy\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com C:\Users\Domownicy\AppData\Roaming\Microsoft\Windows\Cookies\07FT1MU4.txt C:\Users\Domownicy\AppData\Roaming\Microsoft\Windows\Cookies\81PQPM7K.txt C:\Users\Domownicy\AppData\Roaming\Microsoft\Windows\Cookies\BMT846Q0.txt C:\Users\Domownicy\AppData\Roaming\Microsoft\Windows\Cookies\EDQXETHX.txt C:\Users\Domownicy\AppData\Roaming\Microsoft\Windows\Cookies\HQGJY634.txt C:\Users\Domownicy\AppData\Roaming\Microsoft\Windows\Cookies\MTO8LOVU.txt C:\Users\Domownicy\AppData\Roaming\Microsoft\Windows\Cookies\O3QAMLRJ.txt C:\Users\Domownicy\AppData\Roaming\Microsoft\Windows\Cookies\QILB32AN.txt C:\Users\Domownicy\AppData\Roaming\Microsoft\Windows\Cookies\TVOOT22W.txt [/code]