[code] HitmanPro 3.7.14.276 www.hitmanpro.com Computer name . . . . : MATI Windows . . . . . . . : 10.0.0.10586.X64/8 User name . . . . . . : MATI\MaTii UAC . . . . . . . . . : Enabled License . . . . . . . : Free Scan date . . . . . . : 2016-09-20 23:00:14 Scan mode . . . . . . : Normal Scan duration . . . . : 1m 31s Disk access mode . . : Direct disk access (SRB) Cloud . . . . . . . . : Internet Reboot . . . . . . . : No Threats . . . . . . . : 0 Traces . . . . . . . : 107 Objects scanned . . . : 1 966 333 Files scanned . . . . : 49 082 Remnants scanned . . : 406 158 files / 1 511 093 keys Suspicious files ____________________________________________________________ C:\$Recycle.Bin\S-1-5-21-122393886-2402834969-4264950312-1001\$RVYMEWN\FRST-OlderVersion\FRST64.exe Size . . . . . . . : 2 400 256 bytes Age . . . . . . . : 0.5 days (2016-09-20 12:08:00) Entropy . . . . . : 7.6 SHA-256 . . . . . : 6F3ACEC7F83AFBB175899B64F7C51C5CA1335F499FCDA1481198449A5F985211 Needs elevation . : Yes Fuzzy . . . . . . : 24.0 Program has no publisher information but prompts the user for permission elevation. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Time indicates that the file appeared recently on this computer. C:\$Recycle.Bin\S-1-5-21-122393886-2402834969-4264950312-1001\$RVYMEWN\FRST64.exe Size . . . . . . . : 2 402 816 bytes Age . . . . . . . : 0.1 days (2016-09-20 19:40:42) Entropy . . . . . : 7.6 SHA-256 . . . . . : 6A2B54CE7265DB20CF5C157A700F731EB8AC9615F4C2DB14151498DCEEAA56E3 Needs elevation . : Yes Fuzzy . . . . . . : 24.0 Program has no publisher information but prompts the user for permission elevation. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Time indicates that the file appeared recently on this computer. Forensic Cluster -0.3s C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\LB90CEQW.txt -0.3s C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCache\IE\KWUCXH5O\82[1].htm 0.0s C:\$Recycle.Bin\S-1-5-21-122393886-2402834969-4264950312-1001\$RVYMEWN\FRST64.exe 0.0s C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCache\IE\TXXBUT6J\FRST64[1].exe 3.0s C:\$Recycle.Bin\S-1-5-21-122393886-2402834969-4264950312-1001\$RVYMEWN\FRST-OlderVersion\ 6.1s C:\Windows\Prefetch\FRST64.EXE-BC6B133B.pf 16.9s C:\$Recycle.Bin\S-1-5-21-122393886-2402834969-4264950312-1001\$RVYMEWN\FRST.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCache\IE\TXXBUT6J\FRST64[1].exe Size . . . . . . . : 2 402 816 bytes Age . . . . . . . : 0.1 days (2016-09-20 19:40:42) Entropy . . . . . : 7.6 SHA-256 . . . . . : 6A2B54CE7265DB20CF5C157A700F731EB8AC9615F4C2DB14151498DCEEAA56E3 Needs elevation . : Yes Fuzzy . . . . . . : 24.0 Program has no publisher information but prompts the user for permission elevation. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Time indicates that the file appeared recently on this computer. Forensic Cluster -0.3s C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\LB90CEQW.txt -0.3s C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCache\IE\KWUCXH5O\82[1].htm 0.0s C:\$Recycle.Bin\S-1-5-21-122393886-2402834969-4264950312-1001\$RVYMEWN\FRST64.exe 0.0s C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCache\IE\TXXBUT6J\FRST64[1].exe 3.0s C:\$Recycle.Bin\S-1-5-21-122393886-2402834969-4264950312-1001\$RVYMEWN\FRST-OlderVersion\ 6.1s C:\Windows\Prefetch\FRST64.EXE-BC6B133B.pf 16.9s C:\$Recycle.Bin\S-1-5-21-122393886-2402834969-4264950312-1001\$RVYMEWN\FRST.txt Potential Unwanted Programs _________________________________________________ C:\Users\Public\QiYi\ (IQIYI) C:\Users\Public\QiYi\QiyiHCDN\Config\ (IQIYI) C:\Users\Public\QiYi\QiyiHCDN\Config\FDSCache\ (IQIYI) C:\Users\Public\QiYi\QiyiHCDN\Config\FDSCache\vodservercfg.blf (IQIYI) C:\Users\Public\QiYi\QiyiHCDN\Config\PD.ini (IQIYI) C:\Users\Public\QiYi\QiyiHCDN\Config\PowerPlayer.ini (IQIYI) C:\Users\Public\QiYi\QiyiHCDN\Config\PSNetwork.ini (IQIYI) HKLM\SOFTWARE\Classes\AppID\{3601b5c5-5255-4dc9-ad46-2951e225f22e}\ (SaleClipper) HKLM\SOFTWARE\Classes\AppID\{76efae02-0a02-45c9-a8a4-98e69e98e894}\ (RazorWeb) HKLM\SOFTWARE\Classes\AppID\{a6da7c31-adfa-4531-a681-ff2c75c340f1}\ (SaleClipper) HKLM\SOFTWARE\Classes\AppID\{bbd11510-964d-48c6-84f0-2d414559e06a}\ (RazorWeb) HKLM\SOFTWARE\Classes\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\ (IQIYI) HKLM\SOFTWARE\Classes\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ (IQIYI) HKLM\SOFTWARE\Classes\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\ (IQIYI) HKLM\SOFTWARE\Classes\Interface\{348DDE78-0469-4679-B9AF-95A73EDA1AC9}\ (IQIYI) HKLM\SOFTWARE\Classes\Interface\{790F2D3B-18EE-40E2-A45E-1FAC13B6AFB8}\ (IQIYI) HKLM\SOFTWARE\Classes\Interface\{8AFC18D6-8D4A-4B9B-88F3-1D9F83E992BB}\ (IQIYI) HKLM\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ (SupTab) HKLM\SOFTWARE\Classes\Interface\{D96C1D26-5CDF-4506-9244-57233C3984DF}\ (IQIYI) HKLM\SOFTWARE\Classes\Interface\{E0308372-B24C-42EA-B9D6-4AB3AFAFD128}\ (IQIYI) HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/pps-webplayer-plugin\ (IQIYI) HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/qywebplayer\ (IQIYI) HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{3601b5c5-5255-4dc9-ad46-2951e225f22e}\ (SaleClipper) HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{76efae02-0a02-45c9-a8a4-98e69e98e894}\ (RazorWeb) HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{a6da7c31-adfa-4531-a681-ff2c75c340f1}\ (SaleClipper) HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{bbd11510-964d-48c6-84f0-2d414559e06a}\ (RazorWeb) HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ (IQIYI) HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{348DDE78-0469-4679-B9AF-95A73EDA1AC9}\ (IQIYI) HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{8AFC18D6-8D4A-4B9B-88F3-1D9F83E992BB}\ (IQIYI) HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{E0308372-B24C-42EA-B9D6-4AB3AFAFD128}\ (IQIYI) HKLM\SOFTWARE\Classes\WOW6432Node\MIME\Database\Content Type\application/pps-webplayer-plugin\ (IQIYI) HKLM\SOFTWARE\Classes\WOW6432Node\MIME\Database\Content Type\application/qywebplayer\ (IQIYI) HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ (IQIYI) HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\ (IQIYI) HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\ (IQIYI) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\ (IQIYI) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ (IQIYI) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ (IQIYI) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\ (IQIYI) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ (IQIYI) HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ (IQIYI) HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\ (IQIYI) HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\ (IQIYI) HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ (IQIYI) HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Classes\Interface\{348DDE78-0469-4679-B9AF-95A73EDA1AC9}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Classes\Interface\{8AFC18D6-8D4A-4B9B-88F3-1D9F83E992BB}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Classes\Interface\{D96C1D26-5CDF-4506-9244-57233C3984DF}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Classes\Interface\{E0308372-B24C-42EA-B9D6-4AB3AFAFD128}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Classes\PPS.IPlayer.1\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Classes\PPS.IPlayer\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Classes\PPS.ThirdPlayer\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Classes\Wow6432Node\Interface\{348DDE78-0469-4679-B9AF-95A73EDA1AC9}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Classes\Wow6432Node\Interface\{8AFC18D6-8D4A-4B9B-88F3-1D9F83E992BB}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Classes\Wow6432Node\Interface\{D96C1D26-5CDF-4506-9244-57233C3984DF}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Classes\Wow6432Node\Interface\{E0308372-B24C-42EA-B9D6-4AB3AFAFD128}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ppsrun\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ppstream\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qips\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qisu\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qygameclient\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001_Classes\Interface\{348DDE78-0469-4679-B9AF-95A73EDA1AC9}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001_Classes\Interface\{8AFC18D6-8D4A-4B9B-88F3-1D9F83E992BB}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001_Classes\Interface\{D96C1D26-5CDF-4506-9244-57233C3984DF}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001_Classes\Interface\{E0308372-B24C-42EA-B9D6-4AB3AFAFD128}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001_Classes\PPS.IPlayer.1\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001_Classes\PPS.IPlayer\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001_Classes\PPS.ThirdPlayer\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001_Classes\Wow6432Node\Interface\{348DDE78-0469-4679-B9AF-95A73EDA1AC9}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001_Classes\Wow6432Node\Interface\{8AFC18D6-8D4A-4B9B-88F3-1D9F83E992BB}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001_Classes\Wow6432Node\Interface\{D96C1D26-5CDF-4506-9244-57233C3984DF}\ (IQIYI) HKU\S-1-5-21-122393886-2402834969-4264950312-1001_Classes\Wow6432Node\Interface\{E0308372-B24C-42EA-B9D6-4AB3AFAFD128}\ (IQIYI) Cookies _____________________________________________________________________ C:\Users\MaTii\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com C:\Users\MaTii\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net C:\Users\MaTii\AppData\Local\Google\Chrome\User Data\Default\Cookies:imrworldwide.com C:\Users\MaTii\AppData\Local\Google\Chrome\User Data\Default\Cookies:liverail.com C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\HP31Y2B3.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\0IMDLB10.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\28AJHATE.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\2BI09K9J.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\32HETRKR.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\39JSUZZS.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\4G1XVLV3.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\7IKJLNOA.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\7RH1YROD.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\B1YFCR24.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\BN4T9IIA.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\DA4K6B5L.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\DYKJ02RG.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\FJ7P0LU0.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\GPBKQQX9.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\GW1DPINZ.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\H0L43Z2Q.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\HPUA0FY1.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\M06LOSLP.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\M8HA61VO.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\M939FPMQ.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\P7Q4EIG4.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\QBONRN6X.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\QLFHM76I.txt C:\Users\MaTii\AppData\Local\Microsoft\Windows\INetCookies\Low\ZZUUL8K4.txt C:\Users\MaTii\AppData\Roaming\Mozilla\Firefox\Profiles\qvzcbvcv.default\cookies.sqlite:doubleclick.net [/code]