[code] HitmanPro 3.7.6.201 www.hitmanpro.com Computer name . . . . : ROBIN-HP Windows . . . . . . . : 6.1.1.7601.X64/2 User name . . . . . . : Robin-HP\Robin UAC . . . . . . . . . : Enabled License . . . . . . . : Free Scan date . . . . . . : 2013-06-13 22:51:27 Scan mode . . . . . . : Normal Scan duration . . . . : 12m 18s Disk access mode . . : Direct disk access (SRB) Cloud . . . . . . . . : Internet Reboot . . . . . . . : No Threats . . . . . . . : 0 Traces . . . . . . . : 877 Objects scanned . . . : 1.806.333 Files scanned . . . . : 48.712 Remnants scanned . . : 447.135 files / 1.310.486 keys Suspicious files ____________________________________________________________ C:\Users\Robin\AppData\Local\PunkBuster\BFP4F\pb\dll\wc002304.dll Size . . . . . . . : 954.496 bytes Age . . . . . . . : 287.0 days (2012-08-30 22:34:05) Entropy . . . . . : 7.6 SHA-256 . . . . . : EEBDAC091729B0B80A21E14B2CE0392E4584205BA06F5ED1B846C51D034A2177 Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Robin\AppData\Local\PunkBuster\BFP4F\pb\pbcl.dll Size . . . . . . . : 954.496 bytes Age . . . . . . . : 287.0 days (2012-08-30 22:34:05) Entropy . . . . . : 7.6 SHA-256 . . . . . : EEBDAC091729B0B80A21E14B2CE0392E4584205BA06F5ED1B846C51D034A2177 Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Robin\AppData\Local\PunkBuster\BFP4F\pb\pbclold.dll Size . . . . . . . : 915.149 bytes Age . . . . . . . : 466.5 days (2012-03-04 11:33:49) Entropy . . . . . : 7.6 SHA-256 . . . . . : E189EF452F559BFAC0C0A91EFADC78EAA569B915985A213F99666BE56FC86165 Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. C:\Users\Robin\AppData\Local\PunkBuster\BFP4F\pb\PnkBstrK.sys Size . . . . . . . : 139.424 bytes Age . . . . . . . : 466.5 days (2012-03-04 11:34:38) Entropy . . . . . : 7.8 SHA-256 . . . . . : 2A97BC40220EE7B5383991EDB238A70B2D6A7881E54E465999E2EADD6A396029 RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. The file is a device driver. Device drivers run as trusted (highly privileged) code. Program is code signed with a valid Authenticode certificate. C:\Users\Robin\AppData\Local\PunkBuster\HEROES\pb\dll\wc002260.dll Size . . . . . . . : 947.283 bytes Age . . . . . . . : 26.2 days (2013-05-18 17:27:46) Entropy . . . . . : 7.6 SHA-256 . . . . . : 26898E20DB3E20E2986684F1726D3421B0EA9D381F4BD56D6370AAE63973F5B8 Fuzzy . . . . . . : 29.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. Forensic Cluster -0.2s C:\Users\Robin\AppData\Local\PunkBuster\HEROES\pb\htm\wc002260.htm -0.2s C:\Users\Robin\AppData\Local\PunkBuster\HEROES\pb\htm\wc002260.htm 0.0s C:\Users\Robin\AppData\Local\PunkBuster\HEROES\pb\dll\wc002260.dll C:\Users\Robin\AppData\Local\PunkBuster\HEROES\pb\dll\wc002323.dll Size . . . . . . . : 956.648 bytes Age . . . . . . . : 117.2 days (2013-02-16 18:12:53) Entropy . . . . . : 7.6 SHA-256 . . . . . : E88505208F2EA9F150F451C73EEFE57D54A7F50E9D24CB9E647D95A1E826A052 RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. Program is code signed with a valid Authenticode certificate. C:\Users\Robin\AppData\Local\PunkBuster\HEROES\pb\pbcl.dll Size . . . . . . . : 956.648 bytes Age . . . . . . . : 565.0 days (2011-11-26 23:24:03) Entropy . . . . . : 7.6 SHA-256 . . . . . : E88505208F2EA9F150F451C73EEFE57D54A7F50E9D24CB9E647D95A1E826A052 RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. Program is code signed with a valid Authenticode certificate. C:\Users\Robin\AppData\Local\PunkBuster\HEROES\pb\pbclold.dll Size . . . . . . . : 956.648 bytes Age . . . . . . . : 565.0 days (2011-11-26 23:24:03) Entropy . . . . . : 7.6 SHA-256 . . . . . : E88505208F2EA9F150F451C73EEFE57D54A7F50E9D24CB9E647D95A1E826A052 RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. Program is code signed with a valid Authenticode certificate. C:\Users\Robin\AppData\Local\PunkBuster\HEROES\pb\PnkBstrK.sys Size . . . . . . . : 139.648 bytes Age . . . . . . . : 565.0 days (2011-11-26 23:24:51) Entropy . . . . . : 7.8 SHA-256 . . . . . : 164A5F0B9153B75F8955C44BFAE12B594B8D53922AE090132695FF2DAD191C8A RSA Key Size . . . : 2048 Authenticode . . . : Valid Fuzzy . . . . . . : 22.0 The .reloc (relocation) section in this program contains code. This is an indication of malware infection. Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs. Authors name is missing in version info. This is not common to most programs. Version control is missing. This file is probably created by an individual. This is not typical for most programs. Program contains PE structure anomalies. This is not typical for most programs. The file is a device driver. Device drivers run as trusted (highly privileged) code. Program is code signed with a valid Authenticode certificate. Potential Unwanted Programs _________________________________________________ C:\Program Files\Babylon\ (Babylon) HKLM\SOFTWARE\Classes\AppID\escort.DLL\ (Funmoods) HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL\ (Yontoo) HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods) HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\ (Funmoods) HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon) HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}\ (Yontoo) HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\ (Funmoods) HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1\ (Babylon) HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\ (Babylon) HKLM\SOFTWARE\Classes\CrossriderApp0003491.BHO.1\ (VidSaver) HKLM\SOFTWARE\Classes\CrossriderApp0003491.Sandbox.1\ (VidSaver) HKLM\SOFTWARE\Classes\CrossriderApp0003491.Sandbox\ (VidSaver) HKLM\SOFTWARE\Classes\funmoods.dskBnd.1\ (Funmoods) HKLM\SOFTWARE\Classes\funmoods.dskBnd\ (Funmoods) HKLM\SOFTWARE\Classes\funmoods.funmoodsHlpr.1\ (Funmoods) HKLM\SOFTWARE\Classes\funmoods.funmoodsHlpr\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ (Yontoo) HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ (Yontoo) HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055345591}\ (VidSaver) HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066346691}\ (VidSaver) HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ (Funmoods) HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ (Funmoods) HKLM\SOFTWARE\Classes\Prod.cap\ (Claro) HKLM\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440044344491}\ (VidSaver) HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\ (Yontoo) HKLM\SOFTWARE\Classes\Wow6432Node\AppID\escort.DLL\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\AppID\YontooIEClient.DLL\ (Yontoo) HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon) HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}\ (Yontoo) HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ (Yontoo) HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220022342291}\ (VidSaver) HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}\ (Yontoo) HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{99066096-8989-4612-841F-621A01D54AD7}\ (Yontoo) HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ (Yontoo) HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}\ (Yontoo) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ (Yontoo) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ (Yontoo) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550055345591}\ (VidSaver) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660066346691}\ (VidSaver) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ (Funmoods) HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{44444444-4444-4444-4444-440044344491}\ (VidSaver) HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\ (Yontoo) HKLM\SOFTWARE\Classes\YontooIEClient.Api.1\ (Yontoo) HKLM\SOFTWARE\Classes\YontooIEClient.Api\ (Yontoo) HKLM\SOFTWARE\Classes\YontooIEClient.Layers.1\ (Yontoo) HKLM\SOFTWARE\Classes\YontooIEClient.Layers\ (Yontoo) HKLM\SOFTWARE\DataMngr\ (SearchQU) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\ (Yontoo) HKLM\SOFTWARE\Tarma Installer\Components\{8D8654CD-7FBC-4C7E-84E9-371BFA8DB04E}\ (Yontoo) HKLM\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}\ (Yontoo) HKLM\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}\ (Yontoo) HKLM\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}\ (Yontoo) HKLM\SOFTWARE\Tarma Installer\Components\{F5F971A9-DBF8-4EEC-81E3-5F1660573E6C}\ (Yontoo) HKLM\SOFTWARE\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\ (Yontoo) HKLM\SOFTWARE\Wow6432Node\Funmoods\ (Funmoods) HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ (Yontoo) HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Vid-Saver\ (VidSaver) HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\ (Yontoo) HKU\S-1-5-21-1807347547-2428687172-3078923314-1000\Software\Cr_Installer\3491\ (VidSaver) HKU\S-1-5-21-1807347547-2428687172-3078923314-1000\Software\Datamngr\ (SearchQU) HKU\S-1-5-21-1807347547-2428687172-3078923314-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{2EECD738-5844-4A99-B4B6-146BF802613B} (Claro) HKU\S-1-5-21-1807347547-2428687172-3078923314-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4f12-8568-69135F087DB0},\ (SearchQU) HKU\S-1-5-21-1807347547-2428687172-3078923314-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ (Yontoo) HKU\S-1-5-21-1807347547-2428687172-3078923314-1000\Software\Softonic\ (Softonic) Cookies _____________________________________________________________________ C:\Users\Robin\AppData\Local\Google\Chrome\User Data\Default\Cookies:idgenterprise.112.2o7.net C:\Users\Robin\AppData\Local\Google\Chrome\User Data\Default\Cookies:microsoftsto.112.2o7.net C:\Users\Robin\AppData\Local\Google\Chrome\User Data\Default\Cookies:stat.onestat.com C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\0CIHU3IJ.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\46A0LY7Z.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\6FDN9EHU.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\9EXNT08Q.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\ABQ73JNG.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\CH2BUH20.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\HZ97YTUV.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\IT4P80UJ.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\JZYGITZ8.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\KHCFWPT4.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\PPARZS25.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\QCD2HP7I.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\SIUZM7OW.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\WGPDYUPR.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\Z2PU9KXH.txt C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Cookies\ZUOU6FJZ.txt C:\Users\Robin\AppData\Roaming\Mozilla\Firefox\Profiles\z46zjv6u.default\cookies.sqlite:ad.yieldmanager.com C:\Users\Robin\AppData\Roaming\Mozilla\Firefox\Profiles\z46zjv6u.default\cookies.sqlite:ads.play4free.com C:\Users\Robin\AppData\Roaming\Mozilla\Firefox\Profiles\z46zjv6u.default\cookies.sqlite:apmebf.com C:\Users\Robin\AppData\Roaming\Mozilla\Firefox\Profiles\z46zjv6u.default\cookies.sqlite:casalemedia.com C:\Users\Robin\AppData\Roaming\Mozilla\Firefox\Profiles\z46zjv6u.default\cookies.sqlite:doubleclick.net C:\Users\Robin\AppData\Roaming\Mozilla\Firefox\Profiles\z46zjv6u.default\cookies.sqlite:fastclick.net C:\Users\Robin\AppData\Roaming\Mozilla\Firefox\Profiles\z46zjv6u.default\cookies.sqlite:statse.webtrendslive.com [/code]