[code] HitmanPro 3.7.9.234 www.hitmanpro.com Computer name . . . . : MAJLOSZ Windows . . . . . . . : 6.1.0.7600.X86/4 User name . . . . . . : MAJLOSZ\XX UAC . . . . . . . . . : Disabled License . . . . . . . : Free Scan date . . . . . . : 2015-02-03 21:44:25 Scan mode . . . . . . : Normal Scan duration . . . . : 11m 20s Disk access mode . . : Direct disk access (SRB) Cloud . . . . . . . . : Internet Reboot . . . . . . . : No Threats . . . . . . . : 2 Traces . . . . . . . : 44 Objects scanned . . . : 1 500 360 Files scanned . . . . : 29 781 Remnants scanned . . : 535 961 files / 934 618 keys Malware _____________________________________________________________________ C:\System Volume Information\SystemRestore\FRStaging\Windows\Installer\{09DD0AED-5F94-9286-A464-D9F9842F55C6}\ab16af5eaf3374dad30c5956f97c1dea.szcpf Size . . . . . . . : 103 936 bytes Age . . . . . . . : 1.3 days (2015-02-02 14:47:45) Entropy . . . . . : 7.0 SHA-256 . . . . . : 085F26288DCEFCF6291669A0CA8C9118DDB11DF5D0146373EA3D0FD397F2C34B Product . . . . . : Firefox Publisher . . . . : Mozilla Foundation Description Version . . . . . : 30.0 LanguageID . . . . : 0 > Bitdefender . . . : Trojan.GenericKD.2030316 > Kaspersky . . . . : Trojan-Dropper.Win32.Necurs.wzf Fuzzy . . . . . . : 110.0 C:\Users\XX\Downloads\M2Bob_Dll.dll Size . . . . . . . : 1 580 032 bytes Age . . . . . . . : 37.4 days (2014-12-28 12:18:01) Entropy . . . . . : 8.0 SHA-256 . . . . . : 43FD469A1F48811458A05ADC10A6F6A5B00E40C2C03C67DDEAB7E5CFCD246475 Version . . . . . : 1.0.0.53 > Bitdefender . . . : Trojan.GenericKD.2050083 Fuzzy . . . . . . : 111.0 Suspicious files ____________________________________________________________ C:\FRST.exe Size . . . . . . . : 1 122 304 bytes Age . . . . . . . : 0.5 days (2015-02-03 10:34:31) Entropy . . . . . : 8.0 SHA-256 . . . . . : E11B03A01D93122ADCFDF6EBCFEE0C63E6ACA58EAFFD5A5CEE0DB744D09E7EB1 Needs elevation . : Yes Fuzzy . . . . . . : 24.0 Program has no publisher information but prompts the user for permission elevation. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Time indicates that the file appeared recently on this computer. References HKU\S-1-5-21-3848935919-3367533699-3990728495-1002\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\FRST.exe C:\Users\XX\Downloads\FSS.exe Size . . . . . . . : 415 232 bytes Age . . . . . . . : 0.1 days (2015-02-03 19:51:29) Entropy . . . . . : 7.9 SHA-256 . . . . . : CF5F35213C6434469F1B4F614A2366A2A88F3CBC7C9965A458F64545A76C5AC1 Needs elevation . : Yes Fuzzy . . . . . . : 24.0 Program has no publisher information but prompts the user for permission elevation. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Time indicates that the file appeared recently on this computer. Forensic Cluster -18.5s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00011f -18.1s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000120 -17.8s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000121 -17.8s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000122 -17.0s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_www.google.pl_0.localstorage -17.0s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_www.google.pl_0.localstorage-journal -15.9s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000124 -13.7s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000125 -10.7s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000126 -10.3s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000128 -10.3s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000129 -10.1s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00012a -10.0s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00012b -9.9s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00012d -9.7s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00012e -9.7s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00012f -9.6s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000130 -9.1s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000131 -9.0s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_googleads.g.doubleclick.net_0.localstorage -9.0s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_googleads.g.doubleclick.net_0.localstorage-journal -8.0s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.bleepingcomputer.com_0.localstorage -8.0s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.bleepingcomputer.com_0.localstorage-journal -7.7s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_secure-us.imrworldwide.com_0.localstorage -7.7s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_secure-us.imrworldwide.com_0.localstorage-journal -3.6s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000132 -3.3s C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000133 0.0s C:\Users\XX\Downloads\FSS.exe 23.8s C:\Users\XX\Downloads\FSS.txt Potential Unwanted Programs _________________________________________________ C:\Windows\System32\Tasks\ProtectedSearch\ (CertifiedToolbar) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProtectedSearch\ (CertifiedToolbar) HKLM\SYSTEM\ControlSet001\Control\Class\{0014298C-A9BA-440D-AAA8-AD12C7010EE5}\ (ShopperPro) HKLM\SYSTEM\ControlSet001\Control\Class\{181A06EA-B82C-47DE-B851-E20FD0E1CC7D}\ (ShopperPro) HKLM\SYSTEM\ControlSet002\Control\Class\{0014298C-A9BA-440D-AAA8-AD12C7010EE5}\ (ShopperPro) HKLM\SYSTEM\ControlSet002\Control\Class\{181A06EA-B82C-47DE-B851-E20FD0E1CC7D}\ (ShopperPro) HKLM\SYSTEM\CurrentControlSet\Control\Class\{0014298C-A9BA-440D-AAA8-AD12C7010EE5}\ (ShopperPro) HKLM\SYSTEM\CurrentControlSet\Control\Class\{181A06EA-B82C-47DE-B851-E20FD0E1CC7D}\ (ShopperPro) HKU\.DEFAULT\Software\AppDataLow\Software\AskToolbar\ (AskBar) HKU\.DEFAULT\Software\AppDataLow\Software\Sense\ (SaveSense) HKU\.DEFAULT\Software\IM\ (Sweetpacks) HKU\.DEFAULT\Software\ImInstaller\ (Sweetpacks) HKU\S-1-5-18\Software\AppDataLow\Software\AskToolbar\ (AskBar) HKU\S-1-5-18\Software\AppDataLow\Software\Sense\ (SaveSense) HKU\S-1-5-18\Software\IM\ (Sweetpacks) HKU\S-1-5-18\Software\ImInstaller\ (Sweetpacks) HKU\S-1-5-21-3848935919-3367533699-3990728495-1002\Software\CertifiedToolbar\ (Certified Toolbar) HKU\S-1-5-21-3848935919-3367533699-3990728495-1002\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975} (Claro) HKU\S-1-5-21-3848935919-3367533699-3990728495-1002\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} (Babylon) HKU\S-1-5-21-3848935919-3367533699-3990728495-1002\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ (Rocketfuel) HKU\S-1-5-21-3848935919-3367533699-3990728495-1002\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectNewTabPageShow (22Find) HKU\S-1-5-21-3848935919-3367533699-3990728495-1002\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectShowTabsWelcome (22Find) HKU\S-1-5-21-3848935919-3367533699-3990728495-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4f12-8568-69135F087DB0},\ (SearchQU) HKU\S-1-5-21-3848935919-3367533699-3990728495-1002\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{A5A51D2A-505A-4D84-AFC6-E0FA87E47B8C} (ShopperPro) Cookies _____________________________________________________________________ C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.360yield.com C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.adview.pl C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.stickyadstv.com C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtech.de C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:smartadserver.com C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.adform.net C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:tradedoubler.com C:\Users\XX\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com [/code]